Hey,
I want to report a DoS vulnerability I have found in the live555 media
server 2007.11.01.
The following are the details:
The function which handles the incoming queries from the clients is
affected by a vulnerability which can allow an attacker to crash the
server remotely using the smallest query possible to use.
This problem is caused by the absence of an instruction for checking if
the client data is longer or equal than 8 bytes since the function
makes use of unsigned numbers, so "7 - 8" is not -1 but 4294967295.
>From liveMedia/RTSPCommon:
Boolean parseRTSPRequestString(char const* reqStr,
unsigned reqStrSize,
...
unsigned i;
for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {
...
// Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
unsigned j = i+1;
while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
for (j = i+1; j < reqStrSize-8; ++j) {
...
Testing the bug is trivial so no PoC is needed, just send "x x" (without
") followed by 2 CR/LF, for a total of 7 bytes.
BYEZ
---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org
_______________________________________________
live-devel mailing list
live-devel@lists.live555.com
http://lists.live555.com/mailman/listinfo/live-devel
