← Advisories

ViPlay3 <= 3.00 (.vpl) Local Stack Overflow PoC

Medium

Advisory ID

ZSL-2009-4913

Release Date

08 May 2009

Vendor

URUWorks - http://www.urusoft.net

Affected Version

3.00

CVE

CVE-2009-1660

Tested On

Microsoft Windows XP Professional SP3 (English)

Summary

ViPlay3 is a freeware movie player designed to play the most popular movie types using overlaying technology for a faster and more efficient way of video playback.

Description

URUWorks ViPlay3 is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input (.vpl file). Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Proof of Concept

viplay_poc.plTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://packetstormsecurity.org/filedesc/viplay-overflow.txt.html

[2]http://www.securityfocus.com/bid/34877

[3]http://www.milw0rm.com/exploits/8644

[4]http://securityreason.com/exploitalert/6188

[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1660

[6]https://nvd.nist.gov/vuln/detail/CVE-2009-1660

[7]https://exchange.xforce.ibmcloud.com/vulnerabilities/50403

Changelog

08.05.2009Initial release

25.10.2021Added reference [5], [6] and [7]