VLC Media Player Allows Desktop Takeover Via Malicious Video Files

vlc remote takeover bug

VideoLAN has released an updated version of its VLC Player to fix over a dozen bugs.

Two high-risk vulnerabilities in the VLC media player could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim’s PC. The flaws were made public Monday by the developer of the open-source VLC media player, VideoLAN project, who also made patches available to mitigate the issues.

In total, 15 VLC bugs were made public. In addition to the two high-risk bugs, five were rated medium, three low and others remain unrated. Eleven of the flaws were found by Antonio Morales, a researcher at the Semmle Security Team, which also posted a technical breakdown of the bugs.

Exploitation of any of the bugs would be straightforward, Morales wrote Threatpost in an email interview. “A hypothetical scenario: an attacker uploads the video file to a tracker Torrent using a filename of a trending TV series,” he wrote. “After this, a lot of users download the file via Torrent. The victims only need to open the video file to trigger the vulnerability. This scenario can be applied to all the vulnerabilities.”

Morales said the most troubling of the flaws is a buffer overflow bug (CVE-2019-14970) in the MKV demuxer – a component responsible for multiplexing digital and analog files. “This is an out-of-bounds (OOB) write (heap overflow) vulnerability that affects the .mkv file format,” Morales wrote.

The researcher also singled out a similar bug (CVE-2019-14438), which allows an attacker to gain access to a PC using a booby-trapped .MKV video file. MKV is technically a video container format, similar to the .AVI, .ASF, and .MOV formats.

“An attacker could execute code in VLC execution context. This means that an attacker could perform the same actions that the legitimate user can, but without the consent of the user and without user noticing it. In quite a number of cases, the attacker could take the control of the computer also,” Morales told Threatpost. “A user only needs to open the file to trigger the vulnerability (double-click is enough).”

VLC player medium-risk bugs (CVE-2019-14437, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14533) also could be abused an attacker scenario where content is maliciously planted for download.

Two additional security issues, with pending CVE IDs, were reported by Scott Bell from Pulse Security. Researcher Hyeon-Ju Lee is credited for identifying CVE-2019-13602. And Xinyu Liu is credited for finding CVE-2019-13962.

All bugs have been confirmed with VideoLAN project, Morales said. That’s in contrast to last month, when a German security agency reported that a critical vulnerability existed in VLC that it claimed could enable remote code-execution and other malicious actions. It turned out the media player in that instance was not vulnerable.

The new vulnerabilities impact VLC version 3.0.7.1. The current updated 3.0.8 version fixes those bugs. According to VideoLAN, the updates have not been pushed out to users; however, users can manually update their client by directly downloading the most recent version.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles