VideoLAN, a project and a non-profit organization.

Security Advisory 0801

Summary           : Format string vulnerability in the Web interface
                    Stack-based buffer overflow in the Subtitles demuxer
                    String buffer overflows in the Real RTSP demuxer
Date              : 27 February 2008, 2 April 2008
Affected versions : VLC media player 0.8.6d and earlier
ID                : VideoLAN-SA-0801
CVE references    : CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296

Details

VLC media player's web interface suffers from a format string vulnerability when using specially crafted requests.

Its subtitle demuxer is prone to multiple buffer overflows triggered by parsing maliciously crafted files.

Its Real RTSP demuxer is based upon an older Xine library fork, which is prone to multiple buffer overflows triggered by maliciously crafted Session Description Protocol (SDP) data or by specific RTSP server responses.

Impact

If successful, a malicious third party could remotely use the Web interface or the Real RTSP demuxer or locally trigger the subtitles parser to execute arbitrary code within the context of VLC media player or crash the current player instance.

Threat mitigation

Exploitation of the Web interface problem requires the user to explicitly enable this interface. It is disabled by default.

Subtitle files can be manually opened by the user or automatically based on the filename of the movie. Both ways may lead to exploitation of the Subtitle Parser's buffer-overflow.

Exploitation of the Real RTSP problems requires the user to explicitly open streams provided by malicious third parties.

Workarounds

The user may refrain from using the Web interface until an update is installed or limit its usage to secure environments. VLC media player can also be controlled remotely through the RC and telnet interfaces.

Automatic detection of subtitle files can be disabled by unchecking the "Autodetect subtitle files" option in the Subtitle category inside the Video preferences. Note that you need to restart VLC media player for this change to take effect. In case that you use VLC media player through the command-line, provide --no-sub-autodetect-file to override its default behavior.

The user is asked to use subtitle files authored by trusted sources only.

The user is asked to only open Real RTSP streams from trusted content providers. In case of uncertainess, it is recommended not to open this kind of streams. RTSP streams can easily be identified by the rtsp prefix of their URL/MRL.

Solution

VLC media player 0.8.6e addresses these issues and introduces further usability fixes. Version 0.8.6f implements additional security improvements to the Subtitle Parser.

Pre-compiled packages will be available at the usual download locations shortly.

Credits

The Subtitle Parser vulnerability was discovered by Michal Luczaj.

The Web interface vulnerability was reported by Luigi Auriemma.

The Real RTSP demuxer vulnerabilities were published by Luigi Auriemma.

References

Luigi Auriemma
Luigi Auriemma, Buffer overflow and format string in VideoLAN's VLC 0.8.6d Heap overflow in sdpplin_parse and possible heap overflow in VideoLAN's VLC 0.8.6d
The VideoLAN Project
http://www.videolan.org/

History

2 April 2008
VLC 0.8.6f bugfix release
27 February 2008
VLC 0.8.6e bugfix release
20 January 2008
Source code fixes to the Real RTSP demuxer for VLC 0.8.6d and development tree
10 January 2008
Real RTSP demuxer issues published by Luigi Auriemma
24 December 2007
Web Interface and Subtitle Demuxer bugs reported by Luigi Auriemma
Source code fixes to these issues for VLC 0.8.6d and development tree
Rémi Denis-Courmont, Felix Paul Kühne,
on behalf of the VideoLAN project