Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Report for Feng #4

Open
Yuhan2001 opened this issue Oct 22, 2024 · 1 comment
Open

Vulnerability Report for Feng #4

Yuhan2001 opened this issue Oct 22, 2024 · 1 comment

Comments

@Yuhan2001
Copy link

Vulnerability Report for Feng

Application

  • Name: Feng
  • Versions: 2.1.0_rc1
  • Platforms: Linux
  • Exploitation: Remote
  • Date: October 22, 2024
  • Author: Yuhan Wu, Haiyang Wei
  • Email: [email protected]

1) Introduction

Feng is an open-source RTSP/RTP streaming server developed by the Politecnico di Torino for the LScube project. It is intended for use in streaming multimedia content and has been identified to contain several security vulnerabilities. This report covers two recent crashes, which indicate segmentation faults leading to potential service disruption.

2) Bugs Identified

A] Segmentation Fault in check_forbidden_path

  • Issue: A NULL pointer dereference occurs during URI validation. If the URI structure passed to the function is NULL, the server crashes when attempting to access the path using strstr().
  • Impact: An attacker can send a specially crafted request with a missing or malformed URL to cause a denial of service (DoS) by triggering a segmentation fault.
  • Code Location:From src/network/rtsp_utils.c: 
    static gboolean check_forbidden_path(URI *uri)
{
    if ( strstr(uri->path, "../") || strstr(uri->path, "./") )
        return false;

    return true;
}
  • Root Cause:
    The function check_forbidden_path() does not validate if the URI pointer or the path field is NULL before calling strstr(). This results in a segmentation fault if a NULL URI is passed to the function.

B] Segmentation Fault in RTSP_handle_headers

  • Issue: A NULL pointer dereference occurs during RTSP header handling. If the pending_request structure’s headers field is NULL, the function causes a segmentation fault by trying to access the headers without validation.
  • Impact: An attacker could send a specially crafted RTSP request with missing headers to cause a denial of service (DoS) by triggering a segmentation fault.
  • Code Location:From src/network/rtsp_state_machine.c: 
    static gboolean RTSP_handle_headers(RTSP_Client *rtsp) {
    ...
    if ( rtsp->pending_request->headers == NULL )
    ...
}
  • Root Cause:
    The function RTSP_handle_headers() fails to validate if rtsp->pending_request or its headers field is NULL before accessing them. This results in a segmentation fault if a malformed or incomplete RTSP request is processed.

3) The Code (Proof of Concept)

To reproduce the issues, malicious users can send crafted RTSP requests to trigger the crashes:

  1. For check_forbidden_path: POC_A.txt
  2. For RTSP_handle_headers: POC_B.txt
@lu-zero
Copy link
Contributor

lu-zero commented Oct 22, 2024

Thank you for the report, the code is here mainly for historical reasons, but if you want to send a patch I'll be glad to apply it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lu-zero @Yuhan2001