A critical code execution vulnerability has been identified in LIVE555 Streaming Media RTSP Server library used by VLC and other media players. Lilith Wyatt, the IT security researcher at Cisco Talos Intelligence Group has discovered the vulnerability.
The vulnerability exists in the HTTP packet-parsing functionality of LIVE555 RTSP Server library through which an attacker can send a crafted malicious packet to trigger the vulnerability and cause a stack-based buffer overflow resulting in code execution.
“A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability,” Wyatt explained in her blog post.
The LIVE555 streaming media contains a set of open-source C++ libraries that developed by Live Networks Inc for streaming multimedia. The library works with RTP / RTCP, RTSP or SIP protocols that support both clients and server with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis.
The vulnerability resides in the function that parses HTTP headers for tunnelling RTSP over HTTP. An attacker may create a packet containing multiple “Accept:” or “x-sessioncookie” strings which could cause a stack buffer overflow in the function “lookForHeader.” reads Talos vulnerability report.
These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks.
LIVE555 Media Libraries used by most popular media players like such as VLC and MPlayer and multitude of embedded devices such as cameras.
An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.
The vulnerability was found in Live Networks LIVE555 Media Server, version 0.92 and the earlier versions. It can be tracked as CVE-2018-4013.
This, however, is not the first time when popular media player like VLC is making headlines for the wrong reasons Previously, a security researcher had identified critical security flaws in 2.0.5 and earlier versions that could have been exploited by attackers to execute malicious code on computers via ASF files.