[MPlayer-announce] [SECURITY] remotely exploitable buffer overflow in the Real RTSP code found

Diego Biurrun diego at biurrun.de
Thu Apr 29 15:18:17 CEST 2004 

________
Summary:
~~~~~~~~

Multiple vulnerabilities have being found and fixed in the Real-Time Streaming
Protocol (RTSP) client for RealNetworks servers, including a series of
potentially remotely exploitable buffer overflows. This is a joint advisory by
the MPlayer and xine teams as the code in question is common to these projects.
The xine team has assigned ID XSA-2004-3 to this security announcement.


_________
Severity:
~~~~~~~~~

High (arbitrary remote code execution under the user ID running the player)
when playing Real RTSP streams.
At this time, there is no known exploit for these vulnerabilities.


______________
Prerequisites:
~~~~~~~~~~~~~~

The players are only vulnerable when playing Real RTSP streams.
There is no risk if Real RTSP (realrtsp) streaming is not employed.


_________
Solution:
~~~~~~~~~

A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200 (CEST).
This fix is included in MPlayer 1.0pre4.  Users of affected MPlayer versions
should upgrade to MPlayer 1.0pre4 or later.

xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This fix
is included in xine-lib 1-rc4. Users of affected xine-lib versions should
upgrade to xine-lib 1-rc4 or later.
If this upgrade is not feasible for some reason, the vulnerable code
can be disabled by removing xine's RTSP input plugin, which is located at
$(xine-config --plugindir)/xineplug_inp_rtsp.so). If installed with default
paths, that is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so
This workaround disables RTSP streaming.


__________________
Affected versions:
------------------

MPlayer 1.0pre1-pre3try2
xine-lib 1-beta1 to 1-rc3c


____________________
Unaffected versions:
--------------------

MPlayer 0.92.1 and below
MPlayer 1.0pre4 and above
MPlayer CVS HEAD
xine-lib 1-beta0 and below
xine-lib 1-rc4 and above
xine-lib CVS HEAD


_________________________
History / Attack Vectors:
~~~~~~~~~~~~~~~~~~~~~~~~~

On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer realrtsp
code that Roberto Togni confirmed to be a buffer overflow vulnerability later
that day. The xine team was notified and independent code audits were performed
by Miguel Freitas (xine) and Roberto Togni (MPlayer), revealing multiple
vulnerabilities.

1) Fixed length buffers were assigned for the URL used in server requests and
the length of the input was never checked. Very long URLs could thus overflow
these buffers and crash the application. A malicious person might possibly use
a specially crafted URL or playlist to run arbitrary code on the user's
machine.

2) Not all strings returned from a Real server were checked for length. It
might be possible to cause a buffer overflow during the RTSP session
negotiation sequence. A malicious person could use a fake RTSP server to feed
the client with malformed strings.

3) Packets of RealNetworks' Real Data Transport (RDT) format were received
using a fixed length buffer whose size was never checked. It might also be
possible to exploit this by emulating a RealNetworks' RTSP server.

On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer CVS that
removes the extension checking on RTSP streams. MPlayer now attempts to handle
every RTSP connection as realrtsp first, falling back to live.com RTSP. CVS
versions from that date to the time the fix was checked in are susceptible to
the same problem when playing normal RTSP streams as well.

At the time of the writing of this advisory no real exploits are known to the
authors and we hope to be the first to stumble across this vulnerability. Since
we believe that the bugs described in this advisory are exploitable we have
released this proactive advisory.


_________
Download:
~~~~~~~~~

MPlayer 1.0pre4 can be downloaded from the MPlayer homepage or one of its many
mirrors. Go to the MPlayer download page at

http://www.mplayerhq.hu/homepage/dload.html

to get MPlayer 1.0pre4 source code.

xine-lib 1-rc4 can be downloaded from the xine homepage at

http://xinehq.de/index.php/releases

More information about the MPlayer-announce mailing list