Re: Moiseenko Andrey's crtmpserver security patch
hi, On 2017-10-11 21:25, JSK MaaSoftware wrote: > Hello, Maintainers! > > I have found a security problem in crtmpserver in December 2015, still > exists. thanks for the patches. i only had a cursory glance, but have a remark: i guess some of the functionality you add could be easily implemented with additional software. e.g. what's the advantage of your solution over a simple firewall that denies access to crtmpserver's port? modern firewalls would support IPv6, which it seems your patches do not support yet. please note that Debian is really a *distribution* of software. we are (mostly) not in charge of actually developing the software we ship. so if you find a problem that is not Debian-specific, it is often a good idea to send these patches directly to upstream if possible. while it seems that the homepage of crtmpserver (http://www.rtmpd.com) seems to be down, there is a git-repository on github. https://github.com/shiretu/crtmpserver please consider doing a pull-request against that repository. gfamsdr IOhannes ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Fwd: Moiseenko Andrey's crtmpserver security patch - patch5.txt
Hello, Maintainers. Ihavealookmoretopatching code and have fix machine-depending host byte order in remote ip calculation. So patch5.txt is a new version of patch. And I have a question about how is it possible to send this fix to a bug tracking system due to patch maa_crtmpserver_security_path.diff created by "dpkg-source -commit"isnotincluding /etc/crtmpserver/*txt files, only manual patch5.txt is including. -- Best regards, Moiseenko Andrey, e-mail: supp...@maasoftware.ru web: http://www.maasoftware.ru -- forwarded letter -- От: JSK MaaSoftware К: Debian Multimedia Maintainers А также к: Время создания: Wed, 11 Oct 2017 22:25:11 +0300 Тема: Moiseenko Andrey's crtmpserver security patch Прикрепленные файлы: maa_crtmpserver_security_path.diff, patch4.txt Hello, Maintainers! I have found a security problem in crtmpserver in December 2015, still exists. The problem is any rtmp streams generators like web cams, ffmpeg, etc can send they stream to you crtmpserver server anonymously and playback it. It can be a problem for you due to anybody can use your server for video streaming not for your sites nor your application. To solve the problem i create a patch based on code found by google for connect schema name and swf name check. And I have my additions to check remote (source) and local IP addresses of connection to allow to translate rtmp from certain static IPs. I am novice in open source commit, and just have to read 4 configs from hard coding dir /etc/crtmpserver (local_ip.txt, remote_ip.txt, tc_url.txt, swf_url.txt). I am trying to build modified source (Thank for Sebastian Ramacher for Bug#878211: crtmpserver can not be compilled from source - answered how to compile crtmpserver from Debian source). "dpkg-source -commit" say me: dpkg-source: info: local changes have been recorded in a new patch: crtmpserver-1.0/debian/patches/maa_crtmpserver_security_path.diff I think my path was not sent to Debian Maintainers by "dpkg-source -commit" command I am attaching my more detailed patch4.txt with /etc/crtmpserver/*txt samples generated by diff -Naur crtmpserver-1.0~dfsg crtmpserver-1.0_mod >patch4.txt Please fix me if can, about fixed path /etc/crtmpserver Waiting for code to be integrated into new versions of crtmpserver. -- Best regards, Moiseenko Andrey, e-mail: supp...@maasoftware.ru web: http://www.maasoftware.ru -- end of forwarded letter - Begin Message --- Hello, Maintainers! I have found a security problem in crtmpserver in December 2015, still exists. The problem is any rtmp streams generators like web cams, ffmpeg, etc can send they stream to you crtmpserver server anonymously and playback it. It can be a problem for you due to anybody can use your server for video streaming not for your sites nor your application. To solve the problem i create a patch based on code found by google for connect schema name and swf name check. And I have my additions to check remote (source) and local IP addresses of connection to allow to translate rtmp from certain static IPs. I am novice in open source commit, and just have to read 4 configs from hard coding dir /etc/crtmpserver (local_ip.txt, remote_ip.txt, tc_url.txt, swf_url.txt). I am trying to build modified source (Thank for Sebastian Ramacher for Bug#878211: crtmpserver can not be compilled from source - answered how to compile crtmpserver from Debian source). "dpkg-source -commit" say me: dpkg-source: info: local changes have been recorded in a new patch: crtmpserver-1.0/debian/patches/maa_crtmpserver_security_path.diff I think my path was not sent to Debian Maintainers by "dpkg-source -commit" command I am attaching my more detailed patch4.txt with /etc/crtmpserver/*txt samples generated by diff -Naur crtmpserver-1.0~dfsg crtmpserver-1.0_mod >patch4.txt Please fix me if can, about fixed path /etc/crtmpserver Waiting for code to be integrated into new versions of crtmpserver. -- Best regards, Moiseenko Andrey, e-mail: supp...@maasoftware.ru web: http://www.maasoftware.ru maa_crtmpserver_security_path.diff Description: Binary data diff -Naur crtmpserver-1.0~dfsg/applications/flvplayback/include/rtmpappprotocolhandler.h crtmpserver-1.0_mod/applications/flvplayback/include/rtmpappprotocolhandler.h --- crtmpserver-1.0~dfsg/applications/flvplayback/include/rtmpappprotocolhandler.h 2012-03-18 13:43:18.0 +0400 +++ crtmpserver-1.0_mod/applications/flvplayback/include/rtmpappprotocolhandler.h 2017-10-11 21:13:27.089849662 +0300 @@ -34,6 +34,10 @@ virtual bool ProcessInvokeGeneric(BaseRTMPProtocol *pFrom, Varian
Moiseenko Andrey's crtmpserver security patch
Hello, Maintainers!
I have found a security problem in crtmpserver in December 2015, still
exists.
The problem is any rtmp streams generators like web cams, ffmpeg, etc
can send they stream to you crtmpserver server anonymously and
playback it. It can be a problem for you due to anybody can use your
server for video streaming not for your sites nor your application.
To solve the problem i create a patch based on code found by google
for connect schema name and swf name check. And I have my
additions to check remote (source) and local IP addresses of
connection to allow to translate rtmp from certain static IPs.
I am novice in open source commit, and just have to read 4 configs
from hard coding dir /etc/crtmpserver (local_ip.txt, remote_ip.txt,
tc_url.txt, swf_url.txt).
I am trying to build modified source (Thank for Sebastian Ramacher for
Bug#878211: crtmpserver can not be compilled from source - answered how
to compile crtmpserver from Debian source).
"dpkg-source -commit" say me:
dpkg-source: info: local changes have been recorded in a new patch:
crtmpserver-1.0/debian/patches/maa_crtmpserver_security_path.diff
I think my path was not sent to Debian Maintainers by
"dpkg-source -commit" command
I am attaching my more detailed patch4.txt with
/etc/crtmpserver/*txt samples generated by
diff -Naur crtmpserver-1.0~dfsg crtmpserver-1.0_mod >patch4.txt
Please fix me if can, about fixed path /etc/crtmpserver
Waiting for code to be integrated into new versions of crtmpserver.
--
Best regards,
Moiseenko Andrey,
e-mail: supp...@maasoftware.ru
web: http://www.maasoftware.ru
maa_crtmpserver_security_path.diff
Description: Binary data
diff -Naur
crtmpserver-1.0~dfsg/applications/flvplayback/include/rtmpappprotocolhandler.h
crtmpserver-1.0_mod/applications/flvplayback/include/rtmpappprotocolhandler.h
---
crtmpserver-1.0~dfsg/applications/flvplayback/include/rtmpappprotocolhandler.h
2012-03-18 13:43:18.0 +0400
+++
crtmpserver-1.0_mod/applications/flvplayback/include/rtmpappprotocolhandler.h
2017-10-11 21:13:27.089849662 +0300
@@ -34,6 +34,10 @@
virtual bool ProcessInvokeGeneric(BaseRTMPProtocol *pFrom,
Variant &request);
+// to check schema and swf name
+virtual bool ProcessInvokeConnect(BaseRTMPProtocol *pFrom,
+Variant &request);
+virtual bool ValidateRequest(Variant &request);
private:
bool ProcessGetAvailableFlvs(BaseRTMPProtocol *pFrom, Variant
&request);
bool ProcessInsertMetadata(BaseRTMPProtocol *pFrom, Variant
&request);
diff -Naur
crtmpserver-1.0~dfsg/applications/flvplayback/src/rtmpappprotocolhandler.cpp
crtmpserver-1.0_mod/applications/flvplayback/src/rtmpappprotocolhandler.cpp
---
crtmpserver-1.0~dfsg/applications/flvplayback/src/rtmpappprotocolhandler.cpp
2012-03-18 13:43:18.0 +0400
+++ crtmpserver-1.0_mod/applications/flvplayback/src/rtmpappprotocolhandler.cpp
2017-10-11 19:42:07.173819842 +0300
@@ -19,6 +19,7 @@
#ifdef HAS_PROTOCOL_RTMP
+#include "common.h"
#include "rtmpappprotocolhandler.h"
#include "protocols/rtmp/basertmpprotocol.h"
#include "protocols/rtmp/messagefactories/messagefactories.h"
@@ -27,6 +28,95 @@
#include "streaming/streamstypes.h"
using namespace app_flvplayback;
+
+//===
+// Moiseenko Andrey's security checks for local and remote IPs
+static unsigned GetMaskByNum(int Num)
+{
+if (!Num)
+{
+return 0;
+}
+return ~ ((1 << (32 - Num)) - 1);
+}
+static bool CheckIp(string ip, const char * fn)
+{
+const char * pip = ip.c_str();
+unsigned xx[4] = { 0, 0, 0, 0 };
+sscanf(pip, "%d.%d.%d.%d", &xx[0], &xx[1], &xx[2], &xx[3]);
+unsigned Ip = (xx[0] << 8) | xx[1]) << 8) | xx[2]) << 8) | xx[3];
+ fprintf(stderr, "%d.%d.%d.%d %08x\n", xx[0], xx[1], xx[2], xx[3], Ip);
+FILE * f = fopen(fn, "rb");
+if (f)
+{
+char Buffer[256];
+while(fgets(Buffer, (int)sizeof(Buffer) - 1, f))
+{
+int l = strlen(Buffer);
+while(l > 0 && (Buffer[l - 1] == '\r' || Buffer[l - 1] == '\n'))
+{
+Buffer[--l] = 0;
+}
+if (Buffer[0] == ';' || Buffer[0] == '#' || Buffer[0] == 0)
+{
+continue;
+}
+pip = Buffer;
+unsigned cmp_ip = 0, x;
+for (int i = 0; i < 4; i++)
+{
+x = 0;
+sscanf(pip, "%d", &x);
+ fprintf(stderr, "%d.\n", x);
+cmp_ip = (cmp_ip << 8) | x;
+while(*pip >= '0' && *pip <= '9') pip++;
+if (*pip == '.' || *pip == '/') pip++;
+}
+x = 32;
+sscanf(pip, "%d", &x);
+ fprintf(stderr, "/%d\n", x);
+x = GetMaskByNum((int)x);
+
