Stack buffer overflow in RTSP packet parsing in gpac/gpac

Valid

Reported on

May 1st 2022


Description

A malicious RTSP server can trigger a stack buffer overflow via an RTSP packet with an excessively long content-length due to no bounds check when copying into a fixed sized buffer.

Proof of Concept

poc.py is available here

(terminal 1)

python3 poc.py 31337

(terminal 2)

./configure --enable-sanitizer
make -j32
./bin/gcc/gpac -play rtsp://127.0.0.1:31337/test
ietf/rtsp_common.c:86:7: runtime error: index 30 out of bounds for type 'char [30]'

GDB

Thread 1 "gpac" received signal SIGABRT, Aborted.
0x00007ffff749d34c in __pthread_kill_implementation () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff749d34c in __pthread_kill_implementation () at /usr/lib/libc.so.6
#1  0x00007ffff74504b8 in raise () at /usr/lib/libc.so.6
#2  0x00007ffff743a534 in abort () at /usr/lib/libc.so.6
#3  0x00007ffff7491397 in __libc_message () at /usr/lib/libc.so.6
#4  0x00007ffff75302fa in __fortify_fail () at /usr/lib/libc.so.6
#5  0x00007ffff75302c6 in  () at /usr/lib/libc.so.6
#6  0x00007ffff780e9c9 in  () at /gpac/bin/gcc/libgpac.so.11
#7  0x00007ffff780eaf8 in gf_rtsp_read_reply () at /gpac/bin/gcc/libgpac.so.11
#8  0x00007ffff7810cb5 in gf_rtsp_get_response () at /gpac/bin/gcc/libgpac.so.11
#9  0x00007ffff7bda785 in rtpin_rtsp_process_commands () at /gpac/bin/gcc/libgpac.so.11
#10 0x00007ffff7bd9bb6 in rtpin_process () at /gpac/bin/gcc/libgpac.so.11
#11 0x00007ffff7b3abb5 in gf_filter_process_task () at /gpac/bin/gcc/libgpac.so.11
#12 0x00007ffff7b281f7 in gf_fs_thread_proc () at /gpac/bin/gcc/libgpac.so.11
#13 0x00007ffff7b2d1ab in gf_fs_run () at /gpac/bin/gcc/libgpac.so.11
#14 0x0000555555563a7f in gpac_main ()
#15 0x00007ffff743b310 in __libc_start_call_main () at /usr/lib/libc.so.6
#16 0x00007ffff743b3c1 in __libc_start_main_impl () at /usr/lib/libc.so.6
#17 0x0000555555559dc5 in _start ()

Impact

This is capable of causing crashes and allowing modification of stack memory which could lead to remote code execution.

We are processing your report and will contact the gpac team within 24 hours. a year ago
We have contacted a member of the gpac team and are waiting to hear back a year ago
gpac/gpac maintainer
a year ago

Maintainer


https://github.com/gpac/gpac/issues/2182

We have sent a follow up to the gpac team. We will try again in 7 days. a year ago
We have sent a second follow up to the gpac team. We will try again in 10 days. a year ago
gpac/gpac maintainer validated this vulnerability a year ago
Callum Thomson has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in v2.1.0 with commit 75b371 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
rtsp_common.c#L86 has been validated
to join this conversation