[Live-devel] Denial of Service in media server
Luigi Auriemma
aluigi at autistici.org
Wed Nov 14 12:01:37 PST 2007
Hey,
I want to report a DoS vulnerability I have found in the live555 media
server 2007.11.01.
The following are the details:
The function which handles the incoming queries from the clients is
affected by a vulnerability which can allow an attacker to crash the
server remotely using the smallest query possible to use.
This problem is caused by the absence of an instruction for checking if
the client data is longer or equal than 8 bytes since the function
makes use of unsigned numbers, so "7 - 8" is not -1 but 4294967295.
>From liveMedia/RTSPCommon:
Boolean parseRTSPRequestString(char const* reqStr,
unsigned reqStrSize,
...
unsigned i;
for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {
...
// Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
unsigned j = i+1;
while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
for (j = i+1; j < reqStrSize-8; ++j) {
...
Testing the bug is trivial so no PoC is needed, just send "x x" (without
") followed by 2 CR/LF, for a total of 7 bytes.
BYEZ
---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org
More information about the live-devel
mailing list