VLC Media Player udp:// Format String Vulnerability (MoAB #2)

I'm not actually going to post about every MoAB release, it just seems like it since they've both been client-side exploits at this point. ;)

MoAB #2 has been released. As with #1 this is a cross-platform issue affecting Mac OS X and Windows. Video Lan Client (VLC), for those who don't know, is an open source media player which supports a lot of formats and a lot of platforms. It's actually my personal favorite for playing media on OS X though I can't say I've ever used it's network-based functionality for which it is named.

There are actually a number of ways that this type of vulnerability could be exploited. The first is simply the the user opening a udp:// URL from within the standalone client, or opening a file which contains a link to such a URL. The second is by having a browser configured to call VLC for udp:// URLs without actually using a browser plugin, and the third is thus by having installed a VLC browser plugin. There are probably some other scenarios that are eluding me right now too.

There does not seem to be a CVE for this issue at this point, and interestingly a keyword search for "VLC" or "Video Lan Client" (with Google as the CVE search doesn't seem to interpret quotes correctly), there do not seem to be any CVEs for VLC. Vulnerabilities have been found in libraries which it uses (for instance for for libavcodec or GnuTLS), but none for VLC itself. I wonder if 1. the flaw is actually in the code and not a library, and 2. if it is the former, if they realize how "auspicious" the find is? :) Of course I won't just idly wonder, I will look into it, since the details don't seem to say. KF provided me with the following link which shows that the flaw was in VLC code itself.