live555x.txt

live555x.txt: Posted Nov 26, 2007; Authored by Luigi Auriemma | Site aluigi.org; LIVE555 Media Server versions 2007.11.01 and below suffer from a denial of service vulnerability due to a memory access violation.; tags | advisory, denial of service; SHA-256 | 7fc5868caaff49e311fec4dcc9be9ebf3b1c85576e691e467bd7101da6de8f37; Download | Favorite | View

live555x.txt


#######################################################################

                             Luigi Auriemma

Application:  LIVE555 Media Server
              http://www.live555.com/mediaServer/
Versions:     <= 2007.11.01
Platforms:    *nix, Windows, Mac and others
Bug:          crash caused by access to unallocated memory
Exploitation: remote, versus server
Date:         18 Nov 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


LIVE555 Media Server is an open source RTSP server application released
under LGPL.


#######################################################################

======
2) Bug
======


The function which handles the incoming queries from the clients is
affected by a vulnerability which allows an attacker to crash the
server remotely using the smallest RTSP query possible to use.

This problem is caused by the absence of an instruction for checking if
the amount of client's data (reqStrSize) is longer or equal than 8
bytes because the function makes use of unsigned numbers, so "7 - 8" is
not -1 but 4294967295, resulting in a crash caused by the reaching of
the end of the allocated memory.

>From liveMedia/RTSPCommon:

Boolean parseRTSPRequestString(char const* reqStr,
                   unsigned reqStrSize,
  ...
  unsigned i;
  for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {

    ...

  // Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
  unsigned j = i+1;
  while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
  for (j = i+1; j < reqStrSize-8; ++j) {
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/live555x.zip


#######################################################################

======
4) Fix
======


Version 2007.11.18


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

live555x.txt

live555x.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

live555x.txt

Share This

live555x.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems