VideoLAN VLC Media Player MP4_BoxDumpStructure Buffer Overflow

2009-12-07T00:00:00
ID SAINT:731472269D78212E16FF0F7CDE071B5A
Type saint
Reporter SAINT Corporation
Modified 2009-12-07T00:00:00

Description

Added: 12/07/2009
BID: 36439
OSVDB: 58217

Background

VLC media player is a media player supporting various audio and video formats for multiple platforms.

Problem

A buffer overflow vulnerability exists in VideoLAN VLC media player due to an error when an overly deep box structure in ".mp4" files. A malicious user can exploit this vulnerability to execute arbitrary code by enticing a user to view a specially crafted file.

Resolution

Upgrade to VideoLAN VLC Media Player 1.0.2 or higher.

References

<http://www.securityfocus.com/bid/36439>

Limitations

Exploit works on Windows XP and Vista.
The VLC ActiveX control must be installed on the target.
The user must open the exploit page in Internet Explorer 6 or 7.

Platforms

Windows