Controlled heap buffer overflow in SDP packet parsing in gpac/gpac

Valid

Reported on

Mar 30th 2022

Description

A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GF_SDPTiming.

Proof of Concept

poc.py is available here

(terminal 1)

python3 poc.py 31337

(terminal 2)

./configure --enable-sanitizer
make -j32
./bin/gcc/gpac -play rtsp://127.0.0.1:31337/test
ietf/sdp.c:624:27: runtime error: index 10 out of bounds for type 'u32 [10]'

GDB

Thread 1 "gpac" received signal SIGSEGV, Segmentation fault.
0x00007ffff7828932 in gf_sdp_info_parse () from /gpac/bin/gcc/libgpac.so.11
(gdb) bt
#0  0x00007ffff7828932 in gf_sdp_info_parse () at /gpac/bin/gcc/libgpac.so.11
#1  0x00007ffff7be6020 in rtpin_load_sdp () at /gpac/bin/gcc/libgpac.so.11
#2  0x00007ffff7be6d6c in rtpin_rtsp_describe_process () at /gpac/bin/gcc/libgpac.so.11
#3  0x00007ffff7be493b in rtpin_rtsp_process_commands () at /gpac/bin/gcc/libgpac.so.11
#4  0x00007ffff7be3d56 in rtpin_process () at /gpac/bin/gcc/libgpac.so.11
#5  0x00007ffff7b47945 in gf_filter_process_task () at /gpac/bin/gcc/libgpac.so.11
#6  0x00007ffff7b34e67 in gf_fs_thread_proc () at /gpac/bin/gcc/libgpac.so.11
#7  0x00007ffff7b39e1b in gf_fs_run () at /gpac/bin/gcc/libgpac.so.11
#8  0x0000555555563a43 in gpac_main ()
#9  0x00007ffff744c310 in __libc_start_call_main () at /usr/lib/libc.so.6
#10 0x00007ffff744c3c1 in __libc_start_main_impl () at /usr/lib/libc.so.6
#11 0x0000555555559dc5 in _start ()

Impact

This is capable of causing crashes and allowing modification of heap memory which could lead to remote code execution.

We are processing your report and will contact the gpac team within 24 hours. a year ago

We have contacted a member of the gpac team and are waiting to hear back a year ago

A gpac/gpac maintainer

commented a year ago

Maintainer

https://github.com/gpac/gpac/issues/2162

We have sent a follow up to the gpac team. We will try again in 7 days. a year ago

We have sent a second follow up to the gpac team. We will try again in 10 days. a year ago

A gpac/gpac maintainer validated this vulnerability a year ago

Fixed by https://github.com/gpac/gpac/commit/cfaea36eb0116f28b3ca46096b5ed932b5a8c600

Callum Thomson has been awarded the disclosure bounty

The fix bounty is now up for grabs

A gpac/gpac maintainer marked this as fixed in 2.1.0-DEV with commit cfaea3 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation