VLC media player trips up on subtitles
The developers of the recently released version 0.8.6e of the open source VLC media player have already fixed several vulnerabilities which could be exploited to inject malicious code. But a further bug in the software has just been discovered that allows attackers to inject and execute arbitrary code using crafted subtitle files.
Source code for a crafted subtitle file generator to demonstrate the vulnerability is available on the milw0rm exploit archive. When an avi movie file is opened, the media player automatically loads the associated ssa subtitle file, which triggers a buffer overflow in the player software.
Under Windows XP Service Pack 2, the operating system’s data execution prevention system recognises the buffer overflow and prevents execution of the injected code. The vulnerability affects VLC media player versions 0.8.6c to the current version 0.8.6e. To be on the safe side, users should rename subtitle files for movies from untrusted sources so that the VLC media player does not open them automatically when playing the movie.
- Subtitle parsing local buffer overflow exploit, vulnerability demonstrator on milw0rm