SecuriTeam - Apple Darwin Streaming Server DESCRIBE NULL Byte DoS

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

Darwin Streaming Server is "an open source version of Apple's QuickTime Streaming Server technology that allows you to send streaming media to clients across the Internet using the industry standard RTP and RTSP protocols".

Remote exploitation of an input validation vulnerability in Apple's Darwin Streaming Server allows attackers to cause a denial of service condition.

Credit:
The information has been provided by iDEFENSE Security Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=159&type=vulnerabilities

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Darwin Streaming Server versions 5.0.1, possibly prior

Immune Systems:
* Updated versions of Mac OS X client and server, see below

CVE Information:
CAN-2004-1123 - Darwin Streaming Server DESCRIBE Null Byte DoS

The vulnerability is caused by insufficient input validation of arguments passed with the DESCRIBE request. A remote attacker can send a request for a location containing a null byte to cause a denial of service condition resulting in the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1026 (LWP 9648)]
0x4207ac9e in chunk_free () from /lib/i686/libc.so.6
(gdb) bt
#0 0x4207ac9e in chunk_free () from /lib/i686/libc.so.6
#1 0x4207ac24 in free () from /lib/i686/libc.so.6
#2 0x08096406 in FindOrCreateSession (inPath=0x408caf3c,
inParams=0x81746f0, inData=0x0, isPush=0, foundSessionPtr=0x0) at
APIModules/QTSSReflectorModule/QTSSReflectorModule.cpp:1262

Impact
Successful exploitation allows any remote unauthenticated attacker to crash the targeted server, thereby preventing legitimate users from accessing streamed content.

Patch Availability:
The following updates are available for the Mac OS X client and server:
Mac OS X 10.2.8 Client
Mac OS X 10.2.8 Server
Mac OS X 10.3.6 Client
Mac OS X 10.3.6 Server

Disclosure Timeline:
09/10/2004 - Initial vendor notification
09/15/2004 - Initial vendor response
12/03/2004 - Coordinated public disclosure

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability