Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18753
HistoryDec 28, 2007 - 12:00 a.m.

Multiple vulnerabilities in libnemesi 0.6.4-rc1

2007-12-2800:00:00
vulners.com
7
JSON

#######################################################################

                         Luigi Auriemma

Application: libnemesi
http://live.polito.it/documentation/libnemesi
Versions: <= 0.6.4-rc1
Platforms: nix
Bugs: A] buffer-overflow in handle_rtsp_pkt
B] buffer-overflow in the send_request functions
C] buffer-overflow in get_transport_str*
Exploitation: remote
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

libnemesi is an open source client library for implementing the
RTSP/RTP streaming playback easily.
The library has been written by the italian team of the Politecnico di
Torino University for the LScube project.

#######################################################################

=======
2) Bugs

A] buffer-overflow in handle_rtsp_pkt

handle_rtsp_pkt is the function used for checking the server's reply,
it uses a buffer of 32 bytes called ver for containing the version sent
by the server (like HTTP/1.0) using a sscanf without size limitations.

From rtsp/rtsp_handlers.c:

int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
char ver[32];
int opcode;

if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {

The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt
is called (and exploited) for first.

B] buffer-overflow in the send_*_request functions

The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256
bytes plus the size of one parameter without considering all the others
received by the server like, for example, Content-Base.

C] buffer-overflow in get_transport_str_*

Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way.
In fact the size parameter is not referred to the size of the
destination buffer but to the source one.

From rtsp/rtsp_transport.c:

int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
char str[256];
uint16_t stream;
do {
if ((tkna = strstrcase(tknb, "server_streams"))) {
for (; (*tkna == ' ') || (*tkna != '='); tkna++);
for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
tknb++);

        strncpy&#40;str, tkna, tknb - tkna&#41;;
        ...

#######################################################################

===========
3) The Code

http://aluigi.org/poc/libnemesibof.zip

nc -l -p 554 -v -v -n < bof1.txt
nc -l -p 554 -v -v -n < bof2.txt
nc -l -p 554 -v -v -n < bof3.txt

#######################################################################

======
4) Fix

Version 0.6.4-rc2

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON