Vulnerability Report for Feng

[Yuhan2001]

Vulnerability Report for Feng

Application

• Name: Feng
• Versions: 2.1.0_rc1
• Platforms: Linux
• Exploitation: Remote
• Date: October 22, 2024
• Author: Yuhan Wu, Haiyang Wei
• Email: yuhan_wu@smail.nju.edu.cn

1) Introduction

Feng is an open-source RTSP/RTP streaming server developed by the Politecnico di Torino for the LScube project. It is intended for use in streaming multimedia content and has been identified to contain several security vulnerabilities. This report covers two recent crashes, which indicate segmentation faults leading to potential service disruption.

---

2) Bugs Identified

A] Segmentation Fault in check_forbidden_path

• Issue: A NULL pointer dereference occurs during URI validation. If the URI structure passed to the function is NULL, the server crashes when attempting to access the path using strstr().
• Impact: An attacker can send a specially crafted request with a missing or malformed URL to cause a denial of service (DoS) by triggering a segmentation fault.

• Code Location:From src/network/rtsp_utils.c:

  static gboolean check_forbidden_path(URI *uri)
  {
    if ( strstr(uri->path, "../") || strstr(uri->path, "./") )
        return false;
  
    return true;
  }

• Root Cause: The function check_forbidden_path() does not validate if the URI pointer or the path field is NULL before calling strstr(). This results in a segmentation fault if a NULL URI is passed to the function.

---

B] Segmentation Fault in RTSP_handle_headers

• Issue: A NULL pointer dereference occurs during RTSP header handling. If the pending_request structure’s headers field is NULL, the function causes a segmentation fault by trying to access the headers without validation.
• Impact: An attacker could send a specially crafted RTSP request with missing headers to cause a denial of service (DoS) by triggering a segmentation fault.
• Code Location:From src/network/rtsp_state_machine.c:

  static gboolean RTSP_handle_headers(RTSP_Client *rtsp) {
    ...
    if ( rtsp->pending_request->headers == NULL )
    ...
  }

• Root Cause: The function RTSP_handle_headers() fails to validate if rtsp->pending_request or its headers field is NULL before accessing them. This results in a segmentation fault if a malformed or incomplete RTSP request is processed.

---

3) The Code (Proof of Concept)

To reproduce the issues, malicious users can send crafted RTSP requests to trigger the crashes:

1. For check_forbidden_path: POC_A.txt
2. For RTSP_handle_headers: POC_B.txt

[lu-zero]

Thank you for the report, the code is here mainly for historical reasons, but if you want to send a patch I'll be glad to apply it.