#######################################################################
Luigi Auriemma
Application: libnemesi
http://live.polito.it/documentation/libnemesi
Versions: <= 0.6.4-rc1
Platforms: *nix
Bugs: A] buffer-overflow in handle_rtsp_pkt
B] buffer-overflow in the send_*_request functions
C] buffer-overflow in get_transport_str_*
Exploitation: remote
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
libnemesi is an open source client library for implementing the
RTSP/RTP streaming playback easily.
The library has been written by the italian team of the Politecnico di
Torino University for the LScube project.
#######################################################################
=======
2) Bugs
=======
-------------------------------------
A] buffer-overflow in handle_rtsp_pkt
-------------------------------------
handle_rtsp_pkt is the function used for checking the server's reply,
it uses a buffer of 32 bytes called ver for containing the version sent
by the server (like HTTP/1.0) using a sscanf without size limitations.
From rtsp/rtsp_handlers.c:
int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
char ver[32];
int opcode;
...
if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
...
The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt
is called (and exploited) for first.
--------------------------------------------------
B] buffer-overflow in the send_*_request functions
--------------------------------------------------
The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256
bytes plus the size of one parameter without considering all the others
received by the server like, for example, Content-Base.
-----------------------------------------
C] buffer-overflow in get_transport_str_*
-----------------------------------------
Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way.
In fact the size parameter is not referred to the size of the
destination buffer but to the source one.
From rtsp/rtsp_transport.c:
int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
char str[256];
uint16_t stream;
do {
if ((tkna = strstrcase(tknb, "server_streams"))) {
for (; (*tkna == ' ') || (*tkna != '='); tkna++);
for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
tknb++);
strncpy(str, tkna, tknb - tkna);
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/libnemesibof.zip
nc -l -p 554 -v -v -n < bof1.txt
nc -l -p 554 -v -v -n < bof2.txt
nc -l -p 554 -v -v -n < bof3.txt
#######################################################################
======
4) Fix
======
Version 0.6.4-rc2
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Luigi Auriemma
Application: libnemesi
http://live.polito.it/documentation/libnemesi
Versions: <= 0.6.4-rc1
Platforms: *nix
Bugs: A] buffer-overflow in handle_rtsp_pkt
B] buffer-overflow in the send_*_request functions
C] buffer-overflow in get_transport_str_*
Exploitation: remote
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
libnemesi is an open source client library for implementing the
RTSP/RTP streaming playback easily.
The library has been written by the italian team of the Politecnico di
Torino University for the LScube project.
#######################################################################
=======
2) Bugs
=======
-------------------------------------
A] buffer-overflow in handle_rtsp_pkt
-------------------------------------
handle_rtsp_pkt is the function used for checking the server's reply,
it uses a buffer of 32 bytes called ver for containing the version sent
by the server (like HTTP/1.0) using a sscanf without size limitations.
From rtsp/rtsp_handlers.c:
int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
char ver[32];
int opcode;
...
if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
...
The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt
is called (and exploited) for first.
--------------------------------------------------
B] buffer-overflow in the send_*_request functions
--------------------------------------------------
The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256
bytes plus the size of one parameter without considering all the others
received by the server like, for example, Content-Base.
-----------------------------------------
C] buffer-overflow in get_transport_str_*
-----------------------------------------
Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way.
In fact the size parameter is not referred to the size of the
destination buffer but to the source one.
From rtsp/rtsp_transport.c:
int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
char str[256];
uint16_t stream;
do {
if ((tkna = strstrcase(tknb, "server_streams"))) {
for (; (*tkna == ' ') || (*tkna != '='); tkna++);
for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
tknb++);
strncpy(str, tkna, tknb - tkna);
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/libnemesibof.zip
nc -l -p 554 -v -v -n < bof1.txt
nc -l -p 554 -v -v -n < bof2.txt
nc -l -p 554 -v -v -n < bof3.txt
#######################################################################
======
4) Fix
======
Version 0.6.4-rc2
#######################################################################
---
Luigi Auriemma
http://aluigi.org