lscube / feng

Standard Streaming Server
GNU Lesser General Public License v2.1
91 stars 59 forks source link

Vulnerability Report for Feng #4

Open Yuhan2001 opened 1 week ago

Yuhan2001 commented 1 week ago

Vulnerability Report for Feng

Application

1) Introduction

Feng is an open-source RTSP/RTP streaming server developed by the Politecnico di Torino for the LScube project. It is intended for use in streaming multimedia content and has been identified to contain several security vulnerabilities. This report covers two recent crashes, which indicate segmentation faults leading to potential service disruption.


2) Bugs Identified

A] Segmentation Fault in check_forbidden_path


B] Segmentation Fault in RTSP_handle_headers


3) The Code (Proof of Concept)

To reproduce the issues, malicious users can send crafted RTSP requests to trigger the crashes:

  1. For check_forbidden_path: POC_A.txt
  2. For RTSP_handle_headers: POC_B.txt
lu-zero commented 1 week ago

Thank you for the report, the code is here mainly for historical reasons, but if you want to send a patch I'll be glad to apply it.