iDEFENSE Security Advisory 02.23.04: Darwin Streaming Server Remote Denial of Service Vulnerability

From: iDefense Labs (labs_at_iDefense.com)
Date: 02/24/04

  • Next message: disclosure_at_ossecurity.ca: "[Full-Disclosure] Re: Windows XP explorer.exe heap overflow."
    Date: Tue, 24 Feb 2004 02:03:57 -0500
    To: "full-disclosure@lists.netsys.com" <'full-disclosure@lists.netsys.com'>, <database@net-security.org>, <bugs@securitytracker.com>, <bugtraq@securityfocus.com>, "news@securiteam.com" <'news@securiteam.com'>
    
    

    iDEFENSE Security Advisory 02.23.04

    Darwin Streaming Server Remote Denial of Service Vulnerability
    http://www.idefense.com/application/poi/display?id=75
    February 23, 2004

    I. BACKGROUND

    Darwin Streaming Server is server technology allowing for the streaming
    of QuickTime data to clients across the Internet using the industry
    standard RTP and RTSP protocols.

    II. DESCRIPTION

    Exploitation of a flaw in Apple Computer Inc's Darwin Streaming Server
    allows unauthenticated remote attackers to prevent legitimate usage.

    The vulnerability specifically occurs upon parsing of DESCRIBE requests
    with specially crafted User-Agent fields. Making a request with a
    User-Agent field containing over 255 characters causes an assert error
    in CommonUtilitiesLib/StringFormatter.h line 97:

    virtual void BufferIsFull(char* /*inBuffer*/, UInt32/*inBufferLen*/)
    {
        Assert(0);
    }

    Successful exploitation disrupts further content streaming
    capabilities.

    III. ANALYSIS

    Any remote unauthenticated attacker can exploit the vulnerability
    thereby preventing legitimate users from accessing streamed content.

    iDEFENSE has obtained proof of concept exploit code for this
    vulnerability.

    IV. DETECTION

    iDEFENSE has confirmed that the latest version of Darwin Streaming
    Server, version 4.1.3, is vulnerable.

    V. VENDOR RESPONSE

    This is fixed in Security Update 2004-02-23 available for Mac OS X
    10.3.2 Server and Mac OS X 10.2.8 Server. The update and further
    information is available from Apple's Support site at:
    http://www.apple.com/support/

    VI. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    CAN-2004-0169 to this issue. This is a candidate for inclusion in the
    CVE list (http://cve.mitre.org), which standardizes names for security
    problems.

    VII. DISCLOSURE TIMELINE

    December 8, 2003 Exploit acquired by iDEFENSE
    January 29, 2004 iDEFENSE clients notified
    January 29, 2004 Initial vendor notification
    January 29, 2004 Vendor response received
    February 23, 2004 Coordinated public disclosure


  • Next message: disclosure_at_ossecurity.ca: "[Full-Disclosure] Re: Windows XP explorer.exe heap overflow."

    Relevant Pages