[UNIX] Remote Buffer Overflow Vulnerabilities in Real RTSP Streaming
From: SecuriTeam (support_at_securiteam.com)
Date: 05/02/04
- Previous message: SecuriTeam: "[NEWS] 3Com NBX VoIP NetSet DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 May 2004 14:31:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Remote Buffer Overflow Vulnerabilities in Real RTSP Streaming
------------------------------------------------------------------------
SUMMARY
Multiple vulnerabilities have being found and fixed in the Real-Time
Streaming Protocol (RTSP) client for RealNetworks servers, including a
series of potentially remotely exploitable buffer overflows. This is a
joint advisory by the MPlayer and xine teams as the code in question is
common to these projects. The xine team has assigned ID XSA-2004-3 to this
security announcement.
DETAILS
Affected versions:
* MPlayer version 1.0pre1-pre3try2 - patch available at:
<http://www.mplayerhq.hu/dload.html> http://www.mplayerhq.hu/dload.html
* xine-lib versions 1-beta1 to 1-rc3c - patch available at:
<http://xinehq.de/index.php/releases> http://xinehq.de/index.php/releases
Unaffected versions:
* MPlayer version 0.92.1 and below
* MPlayer version 1.0pre4 and above
* MPlayer CVS HEAD
* xine-lib version 1-beta0 and below
* xine-lib version 1-rc4 and above
* xine-lib CVS HEAD
Solution:
A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200
(CEST). This fix is included in MPlayer 1.0pre4. Users of affected MPlayer
versions should upgrade to MPlayer 1.0pre4 or later.
xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This
fix is included in xine-lib 1-rc4. Users of affected xine-lib versions
should upgrade to xine-lib 1-rc4 or later. If this upgrade is not feasible
for some reason, the vulnerable code can be disabled by removing xine's
RTSP input plugin, which is located at $(xine-config
--plugindir)/xineplug_inp_rtsp.so). If installed with default paths, that
is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so. This
workaround disables RTSP streaming.
History / Attack Vectors:
On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer
realrtsp code that Roberto Togni confirmed to be a buffer overflow
vulnerability later that day. The xine team was notified and independent
code audits were performed by Miguel Freitas (xine) and Roberto Togni
(MPlayer), revealing multiple vulnerabilities.
1. Fixed length buffers were assigned for the URL used in server requests
and the length of the input was never checked. Very long URLs could thus
overflow these buffers and crash the application. A malicious person might
possibly use a specially crafted URL or playlist to run arbitrary code on
the user's machine.
2. Not all strings returned from a Real server were checked for length. It
might be possible to cause a buffer overflow during the RTSP session
negotiation sequence. A malicious person could use a fake RTSP server to
feed the client with malformed strings.
3. Packets of RealNetworks' Real Data Transport (RDT) format were received
using a fixed length buffer whose size was never checked. It might also be
possible to exploit this by emulating a RealNetworks' RTSP server.
4. On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer
CVS that removes the extension checking on RTSP streams. MPlayer now
attempts to handle every RTSP connection as realrtsp first, falling back
to live.com RTSP. CVS versions from that date to the time the fix was
checked in are susceptible to the same problem when playing normal RTSP
streams as well.
5. At the time of the writing of this advisory no real exploits are known
to the authors and we hope to be the first to stumble across this
vulnerability. Since we believe that the bugs described in this advisory
are exploitable we have released this proactive advisory.
ADDITIONAL INFORMATION
The information has been provided by Diego Biurrun.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] 3Com NBX VoIP NetSet DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
