nluedtke
commented
5 years ago This was assigned CVE-2019-6256.
Closed DshtAnger closed 5 years ago
nluedtke
commented
5 years ago This was assigned CVE-2019-6256.
carnil
commented
5 years ago According to the Debian maintainer in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919529#17 does not seem to be present in current versions.
What was the fix for the issue?
DshtAnger
commented
5 years ago According to the Debian maintainer in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919529#17 does not seem to be present in current versions.
What was the fix for the issue?
Ross Finlayson [finlayson@live555.com] told me that the problem has been fixed in version 2018.11.26. Users only need to update the version. Reference:http://www.live555.com/liveMedia/public/changelog.txt
ISSUE DESCRIPTION
The project website : http://www.live555.com/liveMedia/
I found a new way to make RTSPServer crash in lastest version 0.93 when RTSP-over-HTTP tunneling is supported.
I only need to send two HTTP requests in one TCP connection.
The problem occurrs in RTSPServer.cpp:853 , it calls handleHTTPCmd_TunnelingPOST.
If I send a HTTP GET packet with a specific sessionCookie firstly, then I send a HTTP POST packet with this sessionCookie in the same TCP connection.
RTSPServer will call a error virtual function pointer in readSocket function(GroupsockHepler.cpp) and the pointer value comes from heap which may control.
Attack PoC python code:
You can just build a test demo according to https://github.com/rgaufman/live555 and attack the bin live555MediaServer for verification.
Original vulnerability discoverer: 许彬彬 Xubinbin
IMPACT
It will cause dos attack and potential remote command execution in version 0.93(I verified) , even all earlier versions (This is just my unverified guess).