LIVE555 Streaming library affected by remote code execution vulnerability

Share this…

This library is used by popular media players, along with a series of integrated devices with streaming capacities

Cybersecurity and digital forensics researchers report the finding of a critical remote code execution vulnerability in the LIVE555 streaming library, the flaw has been identified with the key CVE-2018-4013.

Maintained by Live Networks company, the library works with the RTP/RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3 and Vorbis.

In this case, according to Lilith Wyatt, a digital forensics specialist from Cisco Talos Intelligence Group, the vulnerability resides in the HTTP packet analysis functionality, which parses HTTP headers for the RTSP tunnel over HTTP.

“There is am exploitable remote code execution vulnerability in the HTTP packet parsing functionality of the RTSP LIVE555 server library. A specially crafted package can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a package to activate this vulnerability”, reports Wyatt in a blog post.

Later, Wyatt reported:

“LIVE555 multimedia libraries are a lightweight set of multimedia streaming libraries for RTSP/RTCP/RTSP/SIP protocols, with code support for servers and clients. They are used by popular media players such as VLC and MPlayer, as well as by a multitude of integrated devices (mainly cameras).

Although it has not been specified if the popular VLC player is using the vulnerable component (a server-side library), VLC’s team clarified that its media player application uses the LIVE555 transmission media only on the client side.

To exploit this vulnerability, all an attacker should do is create and send a package that contains multiple ‘Accept:’ or ‘ x-Sessioncookie’  strings to the vulnerable application, which will trigger a stack buffer overflow in the ‘lookForHeader’ function, what leads to the execution of arbitrary code, as reported by specialists in digital forensics from the International Institute of Cyber Security.

However, according to a press release issued by Ross Finlayson from Live Networks, Inc. For the media in general, the vulnerability does not affect VLC or MPlayer because both media players only use LIVE555 to implement a RTSP client.

“This vulnerability does not affect VLC or MPlayer, because they use LIVE555 only to implement a RTSP client”, Finlayson said. “VLC has a built-in RTSP server, but uses a separate implementation, not LIVE555”.