Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam™ in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	Live555 RTSP Server Denial of Service 19 Nov. 2007    Summary LIVE555 Media Server is an open source Real Time Streaming Protocol (RTSP) server application released under LGPL. It's possible to crash Live555 server by sending specially crafted RTSP query.   Credit: The information has been provided by Luigi Auriemma. The original article can be found at: http://aluigi.altervista.org/adv/live555x-adv.txt    Details Audit your web server for security holes - see what the hackers see. Sign up for a scan today - risk free! Vulnerable Systems:  * LIVE555 Media Server version 2007.11.01 and prior Immune Systems:  * LIVE555 Media Server version 2007.11.18 The function which handles the incoming queries from the clients is affected by a vulnerability which can allow an attacker to crash the server remotely using the smallest RTSP query possible to use. This problem is caused by the absence of an instruction for checking if the amount of client's data (reqStrSize) is longer or equal than 8 bytes because the function makes use of unsigned numbers, so "7 - 8" is not -1 but 4294967295, resulting in a crash caused by the reaching of the end of the allocated memory. From liveMedia/RTSPCommon: Boolean parseRTSPRequestString(char const* reqStr,                    unsigned reqStrSize,   ...   unsigned i;   for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {     ...   // Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:   unsigned j = i+1;   while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;   for (j = i+1; j < reqStrSize-8; ++j) {     ... Proof of Concept: http://aluigi.org/poc/live555x.zip Vendor Status: Fixed in version released 2007.11.18.  Comments: Subject:   Date:  From:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Cisco BBSM Captive Portal Cross-site Scripting Cisco Unified Communications Manager Denial of Service Vulnerabilities Novell eDirectory Unauthenticated Access to SOAP Interface Call of Duty Denial of Service Wonderware SuiteLink Denial of Service Vulnerability WebMod Multiple Vulnerabilities IAX2 Incomplete 3-Way Handshake (Spoofing) Multiple Vendor OpenOffice Vulnerabilities Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability Cisco Network Admission Control Shared Secret Vulnerability ClamAV libclamav PeSpin Heap Overflow Vulnerability ClamAV libclamav PE WWPack Heap Overflow Vulnerability IBM Informix Pre-Authentication Stack Overflow Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability HP OpenView NNM Buffer Overflow  Featured Articles Microsoft Windows I2O Filter Utility Driver (i2omgmt.sys) Local Privilege Escalation Vulnerability Adobe Acrobat Javascript PDF Security Feature Bypass and Memory Corruption Vulnerabilities Multiple Vendor rdesktop Vulnerabilities Wonderware SuiteLink Denial of Service Vulnerability PHP Multibyte Shell Command Escaping Bypass Vulnerability Akamai Download Manager Arbitrary Program Execution Vulnerability SugarCRM Community Edition Local File Disclosure Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®