####################################################################### Luigi Auriemma Application: LIVE555 Media Server http://www.live555.com/mediaServer/ Versions: <= 2007.11.01 Platforms: *nix, Windows, Mac and others Bug: crash caused by access to unallocated memory Exploitation: remote, versus server Date: 18 Nov 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== LIVE555 Media Server is an open source RTSP server application released under LGPL. ####################################################################### ====== 2) Bug ====== The function which handles the incoming queries from the clients is affected by a vulnerability which allows an attacker to crash the server remotely using the smallest RTSP query possible to use. This problem is caused by the absence of an instruction for checking if the amount of client's data (reqStrSize) is longer or equal than 8 bytes because the function makes use of unsigned numbers, so "7 - 8" is not -1 but 4294967295, resulting in a crash caused by the reaching of the end of the allocated memory. From liveMedia/RTSPCommon: Boolean parseRTSPRequestString(char const* reqStr, unsigned reqStrSize, ... unsigned i; for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) { ... // Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows: unsigned j = i+1; while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j; for (j = i+1; j < reqStrSize-8; ++j) { ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/live555x.zip ####################################################################### ====== 4) Fix ====== Version 2007.11.18 #######################################################################