A critical remote code-execution bug has been found in the popular Live Networks LIVE555’s streaming media RTSPServer. The vulnerability could allow an attacker to send a specially crafted packet to vulnerable systems and trigger a stack-based buffer overflow, according to researchers at Cisco Talos.
Initial concern over the bug (CVE-2018-4013) had client-side users of the popular VLC open-source media player and the MPLayer video player scrambling to update their software. However, as Cisco Talos pointed out, the impacted LIVE555 Media libraries only affects streaming server software, not the players that use it.
LIVE555 is a set of C++ libraries used in streaming media server software created by Live Networks that support streaming over protocols RTP/RTCP, Real Time Streaming Protocol (RTSP) and SIP. The underlying technology is used sometimes within the client-side versions of players.
However, while Vanja Svajcer, a researcher at the Cisco Talos Intelligence Group, explained in a blog post that the LIVE555 Media Libraries “are utilized by popular media players such as VLC and MPlayer, as well as a multitude of embedded devices (mainly cameras),” the client-side use of LIVE555 libraries are not vulnerable to attack.
In an effort to allay concerns about the bug’s impact, Live Networks publicly stated that the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s).”
Svajcer wrote that the vulnerability exists in one of the functionalities enabled by LIVE555 for its standard RTSP server: The ability to tunnel RTSP over HTTP.
“[This function] is served by a different port bound by the server, typically TCP 80, 8000 or 8080, depending on what ports are available on the host machine,” he explained. “This port can support normal RTSP, but in certain cases, the HTTP client can negotiate the RTSP-over-HTTP tunnel.”
He said the flaw arises in the function that parses HTTP headers for tunneling RTSP over HTTP: “An attacker may create a packet containing multiple ‘Accept:’ or ‘x-sessioncookie’ strings which could cause a stack buffer overflow in the function ‘lookForHeader,'” he said.
More specifically, the bug is contained in the Live Networks LIVE555 Media Server (version 0.92) and “may also be present in the earlier version of the product,” according to Cisco Talos.