<html>
<pre>
<!-- content begin -->

<font class="bigheader">
  <br>
  <a name="vuln03">
  2004.04.28, Wednesday :: Exploitable remote buffer overflow vulnerability in the Real RTSP streaming code
  </a>
  <br>
</font>
<font class="header">
  posted by Diego<br>
</font>
<font class="text">
  <br>
  <b>Summary:</b>
  <br>
  Multiple vulnerabilities have being found and fixed in the Real-Time
  Streaming Protocol (RTSP) client for RealNetworks servers, including a
  series of potentially remotely exploitable buffer overflows. This is a
  joint  advisory by the MPlayer and xine teams as the code in question is
  common to these projects. The xine team has assigned ID XSA-2004-3 to this
  security announcement.
  <br>
  <br>
  <b>Severity:</b>
  <br>
  High (arbitrary remote code execution under the user ID running the player)
  when playing Real RTSP streams.
  At this time, there is no known exploit for these vulnerabilities.
  <br>
  <br>
  <b>Prerequisites:</b>
  <br>
  The players are only vulnerable when playing Real RTSP streams.
  There is no risk if Real RTSP (realrtsp) streaming is not employed.
  <br>
  <br>
  <b>Solution:</b>
  <br>
  A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200 (CEST).
  This fix is included in MPlayer 1.0pre4.  Users of affected MPlayer versions
  should upgrade to MPlayer 1.0pre4 or later.
  <br>
  xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This fix
  is included in xine-lib 1-rc4. Users of affected xine-lib versions should
  upgrade to xine-lib 1-rc4 or later.
  If this upgrade is not feasible for some reason, the vulnerable code
  can be disabled by removing xine's RTSP input plugin, which is located at
  $(xine-config --plugindir)/xineplug_inp_rtsp.so). If installed with default
  paths, that is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so
  This workaround disables RTSP streaming.
  <br>
  <br>
  <b>Affected versions:</b>
  <br>
  MPlayer 1.0pre1-pre3try2
  <br>
  xine-lib 1-beta1 to 1-rc3c
  <br>
  <br>
  <b>Unaffected versions:</b>
  <br>
  MPlayer 0.92.1 and below
  <br>
  MPlayer 1.0pre4 and above
  <br>
  MPlayer CVS HEAD
  <br>
  <br>
  xine-lib 1-beta0 and below
  <br>
  xine-lib 1-rc4 and above
  <br>
  xine-lib CVS HEAD
  <br>
  <br>
  <b>History / Attack Vectors:</b>
  <br>
  On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer
  realrtsp code that Roberto Togni confirmed to be a buffer overflow
  vulnerability later that day. The xine team was notified and independent
  code audits were performed by Miguel Freitas (xine) and Roberto Togni
  (MPlayer), revealing multiple vulnerabilities.
  <ol>
  <li>Fixed length buffers were assigned for the URL used in server requests
    and  the length of the input was never checked. Very long URLs could thus
    overflow these buffers and crash the application. A malicious person
    might possibly use a specially crafted URL or playlist to run arbitrary
    code on the user's machine.</li>
  <li>Not all strings returned from a Real server were checked for length.
    It might be possible to cause a buffer overflow during the RTSP session
    negotiation sequence. A malicious person could use a fake RTSP server
    to feed the client with malformed strings.</li>
  <li>Packets of RealNetworks' Real Data Transport (RDT) format were received
    using a fixed length buffer whose size was never checked. It might also be
    possible to exploit this by emulating a RealNetworks' RTSP server.</li>
  <li>On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer
    CVS that removes the extension checking on RTSP streams. MPlayer now
    attempts to handle every RTSP connection as realrtsp first, falling back
    to live.com RTSP. CVS  versions from that date to the time the fix was
    checked in are susceptible to the same problem when playing normal RTSP
    streams as well.</li>
  <li>At the time of the writing of this advisory no real exploits are known
    to the authors and we hope to be the first to stumble across this
    vulnerability. Since we believe that the bugs described in this advisory
    are exploitable we have  released this proactive advisory.</li>
  </ol>
  <b>Download:</b>
  <br>
  <br>
  MPlayer 1.0pre4 can be downloaded from the MPlayer homepage or one of its many
  mirrors. Go to the
  <a href="http://www.mplayerhq.hu/dload.html">MPlayer download page</a>
  to get MPlayer 1.0pre4 source code.
  <br>
  <br>
  xine-lib 1-rc4 can be downloaded from the
  <a href="http://xinehq.de/index.php/releases">xine homepage</a>.
  <br>
  <br>
</font>






<!-- content end -->
</pre></html>