Author: Thuong Truong Hoai, Software Engineer, OPSWAT
Introduction
VideoLAN VLC Media
Player 2.2.x is
prone to a Use-After-Free vulnerability, which an attacker can leverage to
execute arbitrary code via crafted MKV files. Failed exploit attempts will
likely cause VLC to crash.
Use-After-Free is a memory corruption flaw that is triggered when a program references memory after it has been freed. This can cause a program to crash, use unexpected values or execute arbitrary code. A hacker can potentially leverage this vulnerability to execute shellcode or even achieve remote code execution capability [1].
This vulnerability was reported in CVE-2018-11529 which has not been listed in VLC security advisories. But other vendors have detected it.
More information about this vulnerability is available at https://metadefender.opswat.com/vulnerabilities#!/CVE-2018-11529.
Potential Effect
With this vulnerability, the attacker can execute any command on their victim’s machine: shut it down, take a screenshot, read/delete/modify confidential data, run a program, view through the webcam, inject viruses, open a back door to use later. In other words, the attacker can do anything on the victim’s machine as if the attacker were the victim themselves.
The attacker can also use this kind of privilege to launch additional attacks, such as, but not limited to:
- Executing ransomware on the victim’s data and demanding a ransom from the victim. Even if the victim pays, not all data may be decrypted, and the victim must accept the risk of losing the data forever.
- Attacking other machines on the local network. Once a machine is compromised, other machines on the local network are also at risk.
- Distributing malware to people on the victim’s contact list.
- Creating a botnet to use to perform DDoS attacks on servers on the Internet.
How OPSWAT detect remote code execution vulnerability in VLC
Anyone can analyze a VLC installer by uploading it to MetaDefender Cloud. MetaDefender will use OPSWAT File-Based Vulnerability Detection technology to provide you with critical insight into the vulnerabilities it might introduce into your network. Click the links below to see examples where MetaDefender Cloud detected this vulnerability after analyzing VLC 2.2.8.
For Critical Infrastructure, OPSWAT MetaDefender KIOSK detects vulnerabilities in VLC 2.2.8, as in the following example:
Besides detecting vulnerabilities in VLC installers, OPSWAT technology can also monitor all endpoints in organization for installed VLC software that has this vulnerability. Our MetaDefender Access platform monitors each application on each endpoint and detects vulnerable VLC software. For example:
How to exploit?
The exploit code for this vulnerability can be found at https://www.exploit-db.com/exploits/45626 as a module of Metasploit framework of Rapid7 [2]. Here is how the author of the exploit module describes the vulnerability:
“This module exploits a use-after-free vulnerability in VideoLAN VLC. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. In order to exploit this, this module will generate two files: The first .mkv file contains the main vulnerability and heap spray, the second .mkv file is required in order to take the vulnerable code path and should be placed under the same directory as the .mkv file. This module has been tested against VLC v2.2.8. Tested with payloads windows/exec, windows/x64/exec, windows/shell/reverse_tcp, windows/x64/shell/reverse_tcp. Meterpreter payloads if used can cause the application to crash instead ” [3].
Exploit demo:
- Attacker machine: Kali Linux.
- Victim machine: Windows 10 1903 x64 Pro installed VLC x64 version 2.2.8
- Network: Local Area Network.
Remediation
User should update VLC to a version higher than 2.2.8 but it is generally recommended to update to the latest version to prevent other vulnerabilities, as well.
Download latest version at https://www.videolan.org/vlc/.
References
| [1] | "CWE-416: Use After Free," [Online]"CWE-416: Use After Free," [Online] |
| [2] | "Metasploit of Rapid7," [Online]. |
| [3] | "VLC Media Player - MKV Use-After-Free (Metasploit)," Exploit Database, [Online]. |
