CVE-2023-46814

Vulnerability

A binary hijacking vulnerability exists in the VideoLAN VLC media player before version 3.0.19 on Windows. The uninstaller component, built with NSIS, attempts to execute code with elevated privileges from a location that is writable by standard users. This insecure path loading allows an attacker to place a malicious binary in that location, which then gets executed by the uninstaller in a high-integrity context [1].

Exploitation

To exploit this vulnerability, an attacker must first have standard user access to a Windows system where VLC is installed (up to version 3.0.18). The attacker then needs to place a crafted executable into the world-writable location that the uninstaller will access. Finally, the legitimate user (or an automated process) must explicitly uninstall VLC using the provided uninstaller, triggering the execution of the attacker's binary [1].

Impact

If the exploit is successful, the attacker's malicious binary is executed with SYSTEM privileges. This can lead to a full compromise of the affected Windows system, including arbitrary code execution, data exfiltration, or further lateral movement within a network [1].

Mitigation

VLC media player version 3.0.19 fixes the vulnerability. Users should upgrade to this version or later. As a workaround, keeping VLC installed (i.e., not uninstalling) until the update is applied prevents exploitation. No workaround for the uninstaller itself exists. The vulnerability is not known to have been exploited in the wild [1].