[NEWS] Live555 RTSP Server Denial of Service
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 19 Nov 2007 17:13:31 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Live555 RTSP Server Denial of Service
------------------------------------------------------------------------
SUMMARY
<http://www.live555.com/mediaServer/> LIVE555 Media Server is an open
source <http://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol> Real
Time Streaming Protocol (RTSP) server application released under LGPL.
It's possible to crash Live555 server by sending specially crafted RTSP
query.
DETAILS
Vulnerable Systems:
* LIVE555 Media Server version 2007.11.01 and prior
Immune Systems:
* LIVE555 Media Server version 2007.11.18
The function which handles the incoming queries from the clients is
affected by a vulnerability which can allow an attacker to crash the
server remotely using the smallest RTSP query possible to use.
This problem is caused by the absence of an instruction for checking if
the amount of client's data (reqStrSize) is longer or equal than 8 bytes
because the function makes use of unsigned numbers, so "7 - 8" is not -1
but 4294967295, resulting in a crash caused by the reaching of the end of
the allocated memory.
From liveMedia/RTSPCommon:Boolean parseRTSPRequestString(char const* reqStr,
unsigned reqStrSize,
...
unsigned i;
for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {
...
// Skip over the prefix of any "rtsp://"; or "rtsp:/" URL that follows:
unsigned j = i+1;
while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
for (j = i+1; j < reqStrSize-8; ++j) {
...
Proof of Concept:
<http://aluigi.org/poc/live555x.zip> http://aluigi.org/poc/live555x.zip
Vendor Status:
Fixed in version released 2007.11.18.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/live555x-adv.txt>
http://aluigi.altervista.org/adv/live555x-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] OmniPCX Enterprise VoIP Phone Audio Stream Rerouting Vulnerability
- Next by Date: [UNIX] Multiple Apple Mac OS X AppleTalk
- Previous by thread: [NEWS] OmniPCX Enterprise VoIP Phone Audio Stream Rerouting Vulnerability
- Next by thread: [UNIX] Multiple Apple Mac OS X AppleTalk
- Index(es):
Relevant Pages
|
|
