[UNIX] Multiple Heap Overflows in MMS and Real RTSP Streaming Clients (Xine)

• Previous message: SecuriTeam: "[NT] Adobe ActiveX Allows Local File Discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Apr 2005 16:07:39 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Multiple Heap Overflows in MMS and Real RTSP Streaming Clients (Xine)
------------------------------------------------------------------------

SUMMARY

By a user receiving data from a malicious network streaming server, an
attacker can overrun a heap buffer, which can, on some systems, lead to or
help in executing attacker-chosen malicious code with the permissions of
the user running a xine-lib based media application.

DETAILS

Affected versions:
 * Xine version 0.9.x (with and including 0.9.9)
 * Xine version 1-alpha
 * Xine version 1-beta
 * Xine version 1-rc
 * Xine version 1.0

Unaffected versions:
 * Xine versions older than 0.9.9
 * Xine version 1.0.1 or newer

Both the MMS and Real RTSP streaming client code made some too strong
assumptions on the transfered data. Several critical bounds checks were
missing, resulting in the possibility of heap overflows, should the remote
server not adhere to these assumptions. In the MMS case, a remote server
could present content with too many individual streams, in the RTSP case,
a remote server's reply could have too many lines.

An attacker can setup a server delivering malicious data to the users.
This can be used to overflow a heap buffer, which can, with certain
implementations of heap management, lead to attacker chosen data written
to the stack. This can cause attacker-chosen code being executed with the
permissions of the user running the application. By tricking users to
retrieve a stream, which can be as easy as providing a link on a website,
this vulnerability can be exploited remotely.

Severity:
This is difficult to exploit remotely, because the indirection involved
requires precision and knowledge of the target machine: The heap overflow
needs to alter heap management information in a way so that a return
address on the stack is modified. This address must lead to some malicious
code to be executed, which needs to be injected somehow. The involved xine
plugin is part of the standard xine installation, so we consider this
problem to be moderately severe.

Solution:
The enclosed patches which have been applied to xine-lib CVS fix the
problem but should only be used by distributors who do not want to
upgrade. Otherwise, we strongly advise everyone to upgrade to the soon to
arrive 1.0.1 release of xine-lib.

As a temporary workaround, you may delete the files "xineplug_inp_mms.so"
and "xineplug_inp_rtsp.so" from the xine-lib plugin directory, losing the
ability to use MMS or Real RTSP streaming content.

Patches:
 
<http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/librtsp/rtsp.c?r1=1.18&r2=1.19&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/librtsp/rtsp.c?r1=1.18&r2=1.19&diff_format=u
 
<http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u

ADDITIONAL INFORMATION

The information has been provided by <mailto:mroi@users.sourceforge.net>
Michael Roitzsch.
The original article can be found at: <http://xinehq.de/>
http://xinehq.de/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Adobe ActiveX Allows Local File Discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]