####################################################################### Luigi Auriemma Application: libnemesi http://live.polito.it/documentation/libnemesi Versions: <= 0.6.4-rc1 Platforms: *nix Bugs: A] buffer-overflow in handle_rtsp_pkt B] buffer-overflow in the send_*_request functions C] buffer-overflow in get_transport_str_* Exploitation: remote Date: 27 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== libnemesi is an open source client library for implementing the RTSP/RTP streaming playback easily. The library has been written by the italian team of the Politecnico di Torino University for the LScube project. ####################################################################### ======= 2) Bugs ======= ------------------------------------- A] buffer-overflow in handle_rtsp_pkt ------------------------------------- handle_rtsp_pkt is the function used for checking the server's reply, it uses a buffer of 32 bytes called ver for containing the version sent by the server (like HTTP/1.0) using a sscanf without size limitations. >From rtsp/rtsp_handlers.c: int handle_rtsp_pkt(rtsp_thread * rtsp_th) { char ver[32]; int opcode; ... if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) { ... The same bug exists also in the check_status function located in rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt is called (and exploited) for first. -------------------------------------------------- B] buffer-overflow in the send_*_request functions -------------------------------------------------- The send_*_request functions available in rtsp/rtsp_send.c (send_pause_request, send_play_request, send_setup_request and send_teardown_request) are vulnerable to various buffer-overflow vulnerabilities caused by the usage of buffers initialized using 256 bytes plus the size of one parameter without considering all the others received by the server like, for example, Content-Base. ----------------------------------------- C] buffer-overflow in get_transport_str_* ----------------------------------------- Another buffer-overflow vulnerability is available in the get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp functions in which is used strncpy in a wrong way. In fact the size parameter is not referred to the size of the destination buffer but to the source one. >From rtsp/rtsp_transport.c: int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) { char str[256]; uint16_t stream; do { if ((tkna = strstrcase(tknb, "server_streams"))) { for (; (*tkna == ' ') || (*tkna != '='); tkna++); for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-'); tknb++); strncpy(str, tkna, tknb - tkna); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/libnemesibof.zip nc -l -p 554 -v -v -n < bof1.txt nc -l -p 554 -v -v -n < bof2.txt nc -l -p 554 -v -v -n < bof3.txt ####################################################################### ====== 4) Fix ====== Version 0.6.4-rc2 ####################################################################### --- Luigi Auriemma http://aluigi.org