This article has been updated with a statement from Live Networks, Inc explaining that the flaw only affected their implementation of RTSP server, which VLC and MPlayer do not use.
The IT security researcher at Cisco Talos Intelligence Group has discovered a critical remote code execution vulnerability CVE-2018-4013 in the LIVE555 media streaming library.
Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis.
In this case, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains
“An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability,” Wyatt explained in her blog post.
Furthermore, Wyatt wrote that:
“The LIVE555 Media Libraries are a lightweight set of multimedia streaming libraries for RTSP/RTCP/RTSP/SIP, with code support for both servers and clients. They are utilized by popular media players such as VLC and MPlayer, as well as a multitude of embedded devices (mainly cameras).”
However, according to an email sent to by Ross Finlayson of Live Networks, Inc., to HackRead, the vulnerability does not affect VLC or MPlayer because both media players only use LIVE555 to implement an RTSP client.
“This vulnerability does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP client,” Finlayson told HackRead “The bug affected only our implementation of a RTSP server, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”