Security researchers have discovered a critical vulnerability in LIVE555 media streaming library which is used by popular players such as VLC and MPlayer.
Lilith Wyatt, Security Researcher at Cisco Talos discovered the remote code execution vulnerability (CVE-2018-4013) present in the Live Networks LIVE555 streaming media RTSPServer.
LIVE555 Streaming Media is developed by Live Networks Inc and is a set open source C++ libraries. It is used multimedia streaming and supports open standard protocols such as RTP/RTCP and RTSP.
It can also manage video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis.
Researchers discovered an exploitable code execution vulnerability in the HTTP packet-parsing functionality of the LIVE555 RTSP server library.
“A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability. “ said in the advisory published by Cisco Talos
An attacker can exploit this vulnerability by creating and sending a packet containing multiple “Accept:” or “x-sessioncookie” strings which could cause a stack buffer overflow in the function “lookForHeader.”
The vulnerability affects Live Networks LIVE555 Media Server, version 0.92 and also believes it may affect the earlier version also.
The company has released a patch and user are advised to update their products immediately.
You may be interested in reading:Critical Flaw in Branch.io Affects Around 685 Million Users</blockquote