Security holes also discovered in QuickTime and VLC
Having only recently discovered a RTSP data stream processing vulnerability in xine-lib, Luigi Auriemma has now published details about vulnerabilities in VLC Mediaplayer and Apple's QuickTime. These players also allow attackers to inject and execute arbitrary code via specially crafted RTSP data streams.
The VLC project adopted code from the Xine project in which insufficient length checks may allow buffer overflows on the heap to be triggered when decoding RTSP streams. The flaw occurs in the modules/access/rtsp/real_sdpplin.c file.
In QuickTime, a buffer overflow may be triggered when HTTP error messages are displayed. Attackers can provoke the problem in QuickTime under Windows by supplying a link to an RTSP server without having a server listening on network port 554. According to Auriemma, QuickTime tries to access HTTP port 80 in this case, allowing the server operator to use specially crafted error messages like 404 - Page not found to trigger a buffer overflow in QuickTime's display routine. It has, however, not been possible to reproduce the flaw under Mac OS X.
No updated versions are currently available for either of the players - the current versions of QuickTime (220.127.116.11) and VCL (0.8.6d) are affected. However, as there are currently no known vulnerabilities in Windows Media Player, which can also be used for watching online media, that is probably the safest alternative until an update is available.
- advisory about the VLC Mediaplayer vulnerability by Luigi Auriemma
- advisory about the QuickTime security hole by Auriemma
- xine-lib media library slips up when streaming, heise Security news report