Summary:
Multiple vulnerabilities have being found and fixed in the Real-Time
Streaming Protocol (RTSP) client for RealNetworks servers, including a
series of potentially remotely exploitable buffer overflows. This is a
joint advisory by the MPlayer and xine teams as the code in question is
common to these projects. The xine team has assigned ID XSA-2004-3 to this
security announcement.
Severity:
High (arbitrary remote code execution under the user ID running the player)
when playing Real RTSP streams.
At this time, there is no known exploit for these vulnerabilities.
Prerequisites:
The players are only vulnerable when playing Real RTSP streams.
There is no risk if Real RTSP (realrtsp) streaming is not employed.
Solution:
A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200 (CEST).
This fix is included in MPlayer 1.0pre4. Users of affected MPlayer versions
should upgrade to MPlayer 1.0pre4 or later.
xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This fix
is included in xine-lib 1-rc4. Users of affected xine-lib versions should
upgrade to xine-lib 1-rc4 or later.
If this upgrade is not feasible for some reason, the vulnerable code
can be disabled by removing xine's RTSP input plugin, which is located at
$(xine-config --plugindir)/xineplug_inp_rtsp.so). If installed with default
paths, that is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so
This workaround disables RTSP streaming.
Affected versions:
MPlayer 1.0pre1-pre3try2
xine-lib 1-beta1 to 1-rc3c
Unaffected versions:
MPlayer 0.92.1 and below
MPlayer 1.0pre4 and above
MPlayer CVS HEAD
xine-lib 1-beta0 and below
xine-lib 1-rc4 and above
xine-lib CVS HEAD
History / Attack Vectors:
On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer
realrtsp code that Roberto Togni confirmed to be a buffer overflow
vulnerability later that day. The xine team was notified and independent
code audits were performed by Miguel Freitas (xine) and Roberto Togni
(MPlayer), revealing multiple vulnerabilities.
- Fixed length buffers were assigned for the URL used in server requests
and the length of the input was never checked. Very long URLs could thus
overflow these buffers and crash the application. A malicious person
might possibly use a specially crafted URL or playlist to run arbitrary
code on the user's machine.
- Not all strings returned from a Real server were checked for length.
It might be possible to cause a buffer overflow during the RTSP session
negotiation sequence. A malicious person could use a fake RTSP server
to feed the client with malformed strings.
- Packets of RealNetworks' Real Data Transport (RDT) format were received
using a fixed length buffer whose size was never checked. It might also be
possible to exploit this by emulating a RealNetworks' RTSP server.
- On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer
CVS that removes the extension checking on RTSP streams. MPlayer now
attempts to handle every RTSP connection as realrtsp first, falling back
to live.com RTSP. CVS versions from that date to the time the fix was
checked in are susceptible to the same problem when playing normal RTSP
streams as well.
- At the time of the writing of this advisory no real exploits are known
to the authors and we hope to be the first to stumble across this
vulnerability. Since we believe that the bugs described in this advisory
are exploitable we have released this proactive advisory.
Download:
MPlayer 1.0pre4 can be downloaded from the MPlayer homepage or one of its many
mirrors. Go to the
MPlayer download page
to get MPlayer 1.0pre4 source code.
xine-lib 1-rc4 can be downloaded from the
xine homepage.