Search This Blog

Monday, November 19, 2007

[NEWS] Live555 RTSP Server Denial of Service

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Live555 RTSP Server Denial of Service
------------------------------------------------------------------------


SUMMARY

<http://www.live555.com/mediaServer/> LIVE555 Media Server is an open
source <http://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol> Real
Time Streaming Protocol (RTSP) server application released under LGPL.

It's possible to crash Live555 server by sending specially crafted RTSP
query.

DETAILS

Vulnerable Systems:
* LIVE555 Media Server version 2007.11.01 and prior

Immune Systems:
* LIVE555 Media Server version 2007.11.18

The function which handles the incoming queries from the clients is
affected by a vulnerability which can allow an attacker to crash the
server remotely using the smallest RTSP query possible to use.

This problem is caused by the absence of an instruction for checking if
the amount of client's data (reqStrSize) is longer or equal than 8 bytes
because the function makes use of unsigned numbers, so "7 - 8" is not -1
but 4294967295, resulting in a crash caused by the reaching of the end of
the allocated memory.

From liveMedia/RTSPCommon:
Boolean parseRTSPRequestString(char const* reqStr,
unsigned reqStrSize,
...
unsigned i;
for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {

...

// Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
unsigned j = i+1;
while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
for (j = i+1; j < reqStrSize-8; ++j) {
...


Proof of Concept:
<http://aluigi.org/poc/live555x.zip> http://aluigi.org/poc/live555x.zip

Vendor Status:
Fixed in version released 2007.11.18.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/live555x-adv.txt>

http://aluigi.altervista.org/adv/live555x-adv.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)