Flaws allow hacking a system playing untrusted videos on VLC Player

Pierluigi Paganini June 22, 2019

Two vulnerabilities in VLC media player could allow remote attackers to take full control over a computer system while playing untrusted videos.

An attacker could remotely take full control over a computer system while playing untrusted videos with any version of VLC media player software prior to 3.0.7.

The hack is possible due to two high-risk security flaws (CVE-2019-5439, CVE-2019-12874) that could potentially lead to arbitrary code execution attacks. The company Videolan also addressed many other medium and low-severity security vulnerabilities in its software.

“A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively” reads the security advisory published by the company. “If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.”

VLC is the most popular open-source media player software that is currently being used by hundreds of millions of users worldwide. The software is available for all major OS, including Windows, macOS, Linux, Google Android, and Apple iOS.

The CVE-2019-12874 is a high-severity double-free vulnerability that resides in “zlib_decompress_extra” function of VideoLAN VLC player. The flaw could be triggered when the software plays a malformed MKV file type within the Matroska demuxer.

The issue was reported by Symeon Paraschoudis from Pen Test Partners, he used the honggfuzz fuzzing tool to discover this issue and also discovered other four issues.

The CVE-2019-5439 high-severity flaw is a read-buffer overflow issue that resides in “ReadFrame” function and that can be triggered playing a malformed AVI video file.

“When parsing an invalid AVI file, a buffer overflow might occur.” “The ReadFrame function in the avi.c file uses a variable i_width_bytes, which is obtained directly from the file. It is a signed integer. It does not do a strict check before the memory operation(memmove, memcpy), which may cause a buffer overflow.” reads the description on HackersOne.

“If successful, a malicious third party could trigger an invalid memory access, leading to a crash of the process of the VLC media player. May cause remote code execution.”

Below a step by step procedure to trigger the flaw:

1.) Open vlc.exe with windbg
2.) F5 makes the program run
3 ) Drag poc files into vlc
4.) Monitor the crash from WinDBG

Summarizing, in order to exploit the flaw the attackers have to trick victims into playing with vulnerable versions of VLC a malicious MKV or AVI video file.

It is quite easy for hackers to spread malicious video files on torrent sites, mimicking as a pirated copy of movie or TV series.

VLC hack

The flaws could be mitigated by enabling ASLR and DEP protections on the system, anyway, they could be bypassed.

VideoLAN team also addressed 28 other vulnerabilities reported by other security researchers through EU-FOSSA bug bounty program.

Don’t waste time, update your media player software to VLC 3.0.7 or later versions. Don’t forget that it is a good habit to avoid opening or playing video files from untrusted sources.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VLC, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment