Summary : Format string vulnerability in the Web interface Stack-based buffer overflow in the Subtitles demuxer String buffer overflows in the Real RTSP demuxer Date : 27 February 2008, 2 April 2008 Affected versions : VLC media player 0.8.6d and earlier ID : VideoLAN-SA-0801 CVE references : CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296
VLC media player's web interface suffers from a format string vulnerability when using specially crafted requests.
Its subtitle demuxer is prone to multiple buffer overflows triggered by parsing maliciously crafted files.
Its Real RTSP demuxer is based upon an older Xine library fork, which is prone to multiple buffer overflows triggered by maliciously crafted Session Description Protocol (SDP) data or by specific RTSP server responses.
If successful, a malicious third party could remotely use the Web interface or the Real RTSP demuxer or locally trigger the subtitles parser to execute arbitrary code within the context of VLC media player or crash the current player instance.
Exploitation of the Web interface problem requires the user to explicitly enable this interface. It is disabled by default.
Subtitle files can be manually opened by the user or automatically based on the filename of the movie. Both ways may lead to exploitation of the Subtitle Parser's buffer-overflow.
Exploitation of the Real RTSP problems requires the user to explicitly open streams provided by malicious third parties.
The user may refrain from using the Web interface until an update is installed or limit its usage to secure environments. VLC media player can also be controlled remotely through the RC and telnet interfaces.
Automatic detection of subtitle files can be disabled by unchecking the "Autodetect subtitle files" option in the Subtitle category inside the Video preferences. Note that you need to restart VLC media player for this change to take effect. In case that you use VLC media player through the command-line, provide
--no-sub-autodetect-file to override its default behavior.
The user is asked to use subtitle files authored by trusted sources only.
The user is asked to only open Real RTSP streams from trusted content providers. In case of uncertainess, it is recommended not to open this kind of streams. RTSP streams can easily be identified by the
rtsp prefix of their URL/MRL.
VLC media player 0.8.6e addresses these issues and introduces further usability fixes. Version 0.8.6f implements additional security improvements to the Subtitle Parser.
Pre-compiled packages will be available at the usual download locations shortly.
The Subtitle Parser vulnerability was discovered by Michal Luczaj.
The Web interface vulnerability was reported by Luigi Auriemma.
The Real RTSP demuxer vulnerabilities were published by Luigi Auriemma.