Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: bx1216.htm

libnemesi 0.6.4-rc1 multiple vulnerabilities



Multiple vulnerabilities in libnemesi 0.6.4-rc1
Multiple vulnerabilities in libnemesi 0.6.4-rc1




#######################################################################

                             Luigi Auriemma

Application:  libnemesi
http://live.polito.it/documentation/libnemesi 
Versions:     <= 0.6.4-rc1
Platforms:    *nix
Bugs:         A] buffer-overflow in handle_rtsp_pkt
              B] buffer-overflow in the send_*_request functions
              C] buffer-overflow in get_transport_str_*
Exploitation: remote
Date:         27 Dec 2007
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

libnemesi is an open source client library for implementing the
RTSP/RTP streaming playback easily.
The library has been written by the italian team of the Politecnico di
Torino University for the LScube project.


#######################################################################

======2) Bugs
======
-------------------------------------
A] buffer-overflow in handle_rtsp_pkt
-------------------------------------

handle_rtsp_pkt is the function used for checking the server's reply,
it uses a buffer of 32 bytes called ver for containing the version sent
by the server (like HTTP/1.0) using a sscanf without size limitations.

>From rtsp/rtsp_handlers.c:

int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
    char ver[32];
    int opcode;
    ...
    if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
    ...

The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt
is called (and exploited) for first.


--------------------------------------------------
B] buffer-overflow in the send_*_request functions
--------------------------------------------------

The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256
bytes plus the size of one parameter without considering all the others
received by the server like, for example, Content-Base.


-----------------------------------------
C] buffer-overflow in get_transport_str_*
-----------------------------------------

Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way.
In fact the size parameter is not referred to the size of the
destination buffer but to the source one.

>From rtsp/rtsp_transport.c:

int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
    char str[256];
    uint16_t stream;
    do {
        if ((tkna = strstrcase(tknb, "server_streams"))) {
            for (; (*tkna == ' ') || (*tkna != '='); tkna++);
            for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
                 tknb++);

            strncpy(str, tkna, tknb - tkna);
            ...


#######################################################################

==========3) The Code
==========

http://aluigi.org/poc/libnemesibof.zip 

  nc -l -p 554 -v -v -n < bof1.txt
  nc -l -p 554 -v -v -n < bof2.txt
  nc -l -p 554 -v -v -n < bof3.txt


#######################################################################

=====4) Fix
=====

Version 0.6.4-rc2


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH