October 27, 2016

Libmodplug Exposes VLC Media Player to Code Execution Vulnerability

SEC Consult has discovered a vulnerability in the libmodplug library which is used by media players such as VLC and Gstreamer. As a result the current binary versions of the VLC Media Player are susceptible on Windows and OS X.

As a result of the problem in libmodplug (v0.8.8.1 of libmodplug, which was the most recent version at the time of the discovery), Secunia has issued an advisory for VLC Media Player users. Due to a bug, the libmodplug library is prone to stack based buffer overflow attacks because of insufficient validation of user supplied data. An attacker is able to execute arbitrary code, with the user’s privileges, when opening malicious S3M media files.

The only way a hacker can launch this attack is by tricking a user into opening a specially crafted S3M file. Therefore, as a temporary workaround until an official fix of VLC is released, do not open untrusted *.S3M files.

For those who want to re-build VLC from source, an updated version of libmodplug is available here.