Forum Thread: VLC Media Player Incorrect Calling Convention Stack Corruption Vu...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability

Secunia VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Secunia Official 17th Nov, 2010 23:59
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A vulnerability has been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the use of an incorrect calling convention when invoking the "WNetAddConnection2A()" Windows API function, which can be exploited to cause a stack corruption by e.g. tricking a user into opening a specially crafted "smb://" URL or accessing a specially crafted website.

Note: This only affects the Windows version.

The vulnerability is reported in versions prior to 1.1.5.

TheAncient RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Member 17th Nov, 2010 23:59
Score: 0
Posts: 2
User Since: 4th Dec 2008
System Score: N/A
Location: CA
Last edited on 17th Nov, 2010 23:59
I just installed version 1.1.5 which is listed as solution in the article above.
Even after a full re-scan, PSI 2.0 beta still shows VLC player 1.x as "unpatched, no vendor solution" in the secure browsing area. PSI also shows that THIS security advisory (SA42244) is still applicable to version 1.1.5
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Expert Contributor 18th Nov, 2010 11:37
Score: 2469
Posts: 3,357
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello .

My PSI Beta 2.0 is correctly showing the VLC 1.1.5 as still "insecure , no solution" for the Mozilla Plug-in vulnerability which is referenced as SA41810 .

Hope that is clear .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
Woulouf RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Member 18th Nov, 2010 11:38
Score: 10
Posts: 13
User Since: 4th Nov 2009
System Score: 100%
Location: FR
on 17th Nov, 2010 23:59, TheAncient wrote:
I just installed version 1.1.5 which is listed as solution in the article above.
Even after a full re-scan, PSI 2.0 beta still shows VLC player 1.x as "unpatched, no vendor solution" in the secure browsing area. PSI also shows that THIS security advisory (SA42244) is still applicable to version 1.1.5


Yep, that's because the firefox plugin hole still remains unpatched.

http://secunia.com/advisories/41810/#comments

--
PSI 2.0 (attentive) user
----------------------------------
Well, it's just a damn hole-fixing-story ..... isn't it ?
Was this reply relevant?
+0
-0
theDRaKKaR RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Member 29th Nov, 2010 06:51
Score: -2
Posts: 6
User Since: 5th Mar 2010
System Score: N/A
Location: IT
Last edited on 29th Nov, 2010 06:51
To me, the installation patched both exe and plugin.
Was this reply relevant?
+0
-0