VLC Media Player Allows Desktop Takeover Via Malicious Video Files

vlc remote takeover bug

VideoLAN has released an updated version of its VLC Player to fix over a dozen bugs.

Two high-risk vulnerabilities in the VLC media player could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim’s PC. The flaws were made public Monday by the developer of the open-source VLC media player, VideoLAN project, who also made patches available to mitigate the issues.

In total, 15 VLC bugs were made public. In addition to the two high-risk bugs, five were rated medium, three low and others remain unrated. Eleven of the flaws were found by Antonio Morales, a researcher at the Semmle Security Team, which also posted a technical breakdown of the bugs.

Exploitation of any of the bugs would be straightforward, Morales wrote Threatpost in an email interview. “A hypothetical scenario: an attacker uploads the video file to a tracker Torrent using a filename of a trending TV series,” he wrote. “After this, a lot of users download the file via Torrent. The victims only need to open the video file to trigger the vulnerability. This scenario can be applied to all the vulnerabilities.”

Morales said the most troubling of the flaws is a buffer overflow bug (CVE-2019-14970) in the MKV demuxer – a component responsible for multiplexing digital and analog files. “This is an out-of-bounds (OOB) write (heap overflow) vulnerability that affects the .mkv file format,” Morales wrote.

The researcher also singled out a similar bug (CVE-2019-14438), which allows an attacker to gain access to a PC using a booby-trapped .MKV video file. MKV is technically a video container format, similar to the .AVI, .ASF, and .MOV formats.

“An attacker could execute code in VLC execution context. This means that an attacker could perform the same actions that the legitimate user can, but without the consent of the user and without user noticing it. In quite a number of cases, the attacker could take the control of the computer also,” Morales told Threatpost. “A user only needs to open the file to trigger the vulnerability (double-click is enough).”

VLC player medium-risk bugs (CVE-2019-14437, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14533) also could be abused an attacker scenario where content is maliciously planted for download.

Two additional security issues, with pending CVE IDs, were reported by Scott Bell from Pulse Security. Researcher Hyeon-Ju Lee is credited for identifying CVE-2019-13602. And Xinyu Liu is credited for finding CVE-2019-13962.

All bugs have been confirmed with VideoLAN project, Morales said. That’s in contrast to last month, when a German security agency reported that a critical vulnerability existed in VLC that it claimed could enable remote code-execution and other malicious actions. It turned out the media player in that instance was not vulnerable.

The new vulnerabilities impact VLC version 3.0.7.1. The current updated 3.0.8 version fixes those bugs. According to VideoLAN, the updates have not been pushed out to users; however, users can manually update their client by directly downloading the most recent version.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles

Discussion

  • Sejha on

    This was already checked out and reported on by the creators of vlc over two months ago. Your post is scaremongering bullshit over something that cant even be reproduced in a normal install of the program since the vulnerability came from a third party compnant and was patches out over a year before it even garnered attention. If youre going to share. At least do the bare minimum of research.
    • Tara Seals on

      Hi there -- actually this is a new issue. As Tom pointed out in the story, the bugs have been confirmed and patched by VLC.
    • Tara Seals on

      Please refer to this paragraph in the article: "All bugs have been confirmed with VideoLAN project, Morales said. That’s in contrast to last month, when a German security agency reported that a critical vulnerability existed in VLC that it claimed could enable remote code-execution and other malicious actions. It turned out the media player in that instance was not vulnerable."
  • Alasse on

    This information is almost a month old. And was almost immediately proven to be false. "About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim." https://twitter.com/videolan/status/1153963312981389312?s=19
    • Tara Seals on

      Hi there -- actually this is a new issue. As Tom pointed out in the story, the bugs have been confirmed and patched by VLC.
  • Brian on

    I will make sure to not read the article and assume that this is referring to an older issue that turned out to be false, and then call out your staff on this pretense and hope I look like the smart person!
  • Rob on

    Just updated my not vulnerable VLC. Two months old bugs reported by creators, patched ;)
  • Karnan on

    Is it possible to play the "infected" video safely by changing the container to a different one, say MP4, either by re-encoding or by simply changing it without re-encoding using ffmpeg?
  • Nayan on

    Media Player is the best media player. I am using it for the long time. What do you think? Do you use???

Leave A Reply to Nayan Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.