Summary : Arbitrary code execution
through rogue VLC plugins in the current directory
Date : May 2008
Affected versions : VLC media player 0.8.6f and earlier
ID : VideoLAN-SA-0805
CVE reference : CVE-2008-2147
Details
When initializing its plugins cache, VLC will look for dynamically loadable
plugins in the modules/ and plugins/ subdirectories
from the current working directory.
VLC will then jump to the versioned vlc_entry__x_y_z symbol if present,
and execute code with user privileges.
Impact
If successful, a malicious local user may obtain the privileges of another
user on the system (local privilege escalation).
A malicious third party could also trick a user into executing harmful code
from an untrusted media.
Threat mitigation
Exploitation of this issue requires the user to start VLC (or a program
using LibVLC) while the current working directory is under the control of the
attacker.
Therefore, this attack is only likely to succeed on multi-user systems.
This issue is only present on platforms where VLC uses installation paths
set at build-time, such as Linux, BSD and Sun Solaris.
This issue does not affect VLC running on Windows, Windows CE,
Mac OS X or BeOS.
Workarounds
The user should not start VLC media player from directories with potentially
untrusted content, such as directories writeable by untrusted users.
Solution
VLC media player 0.8.6g addresses this issue.
Credits
This vulnerability was discovered internally by Rémi Denis-Courmont.
