lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20071227182646.64ed6091.aluigi@autistici.org>
Date: Thu, 27 Dec 2007 18:26:46 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Multiple vulnerabilities in libnemesi 0.6.4-rc1


#######################################################################

                             Luigi Auriemma

Application:  libnemesi
              http://live.polito.it/documentation/libnemesi
Versions:     <= 0.6.4-rc1
Platforms:    *nix
Bugs:         A] buffer-overflow in handle_rtsp_pkt
              B] buffer-overflow in the send_*_request functions
              C] buffer-overflow in get_transport_str_*
Exploitation: remote
Date:         27 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


libnemesi is an open source client library for implementing the
RTSP/RTP streaming playback easily.
The library has been written by the italian team of the Politecnico di
Torino University for the LScube project.


#######################################################################

=======
2) Bugs
=======

-------------------------------------
A] buffer-overflow in handle_rtsp_pkt
-------------------------------------

handle_rtsp_pkt is the function used for checking the server's reply,
it uses a buffer of 32 bytes called ver for containing the version sent
by the server (like HTTP/1.0) using a sscanf without size limitations.

>>From rtsp/rtsp_handlers.c:

int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
    char ver[32];
    int opcode;
    ...
    if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
    ...

The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt
is called (and exploited) for first.


--------------------------------------------------
B] buffer-overflow in the send_*_request functions
--------------------------------------------------

The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256
bytes plus the size of one parameter without considering all the others
received by the server like, for example, Content-Base.


-----------------------------------------
C] buffer-overflow in get_transport_str_*
-----------------------------------------

Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way.
In fact the size parameter is not referred to the size of the
destination buffer but to the source one.

>>From rtsp/rtsp_transport.c:

int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
    char str[256];
    uint16_t stream;
    do {
        if ((tkna = strstrcase(tknb, "server_streams"))) {
            for (; (*tkna == ' ') || (*tkna != '='); tkna++);
            for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
                 tknb++);

            strncpy(str, tkna, tknb - tkna);
            ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/libnemesibof.zip

  nc -l -p 554 -v -v -n < bof1.txt
  nc -l -p 554 -v -v -n < bof2.txt
  nc -l -p 554 -v -v -n < bof3.txt


#######################################################################

======
4) Fix
======


Version 0.6.4-rc2


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ