Stack buffer overflow in RTSP packet parsing in gpac/gpac

Valid

Reported on

May 1st 2022


Description

A malicious RTSP server can trigger a stack buffer overflow via an RTSP packet with an excessively long content-length due to no bounds check when copying into a fixed sized buffer.

Proof of Concept

poc.py is available here

(terminal 1)

python3 poc.py 31337

(terminal 2)

./configure --enable-sanitizer
make -j32
./bin/gcc/gpac -play rtsp://127.0.0.1:31337/test
ietf/rtsp_common.c:86:7: runtime error: index 30 out of bounds for type 'char [30]'

GDB

Thread 1 "gpac" received signal SIGABRT, Aborted.
0x00007ffff749d34c in __pthread_kill_implementation () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff749d34c in __pthread_kill_implementation () at /usr/lib/libc.so.6
#1  0x00007ffff74504b8 in raise () at /usr/lib/libc.so.6
#2  0x00007ffff743a534 in abort () at /usr/lib/libc.so.6
#3  0x00007ffff7491397 in __libc_message () at /usr/lib/libc.so.6
#4  0x00007ffff75302fa in __fortify_fail () at /usr/lib/libc.so.6
#5  0x00007ffff75302c6 in  () at /usr/lib/libc.so.6
#6  0x00007ffff780e9c9 in  () at /gpac/bin/gcc/libgpac.so.11
#7  0x00007ffff780eaf8 in gf_rtsp_read_reply () at /gpac/bin/gcc/libgpac.so.11
#8  0x00007ffff7810cb5 in gf_rtsp_get_response () at /gpac/bin/gcc/libgpac.so.11
#9  0x00007ffff7bda785 in rtpin_rtsp_process_commands () at /gpac/bin/gcc/libgpac.so.11
#10 0x00007ffff7bd9bb6 in rtpin_process () at /gpac/bin/gcc/libgpac.so.11
#11 0x00007ffff7b3abb5 in gf_filter_process_task () at /gpac/bin/gcc/libgpac.so.11
#12 0x00007ffff7b281f7 in gf_fs_thread_proc () at /gpac/bin/gcc/libgpac.so.11
#13 0x00007ffff7b2d1ab in gf_fs_run () at /gpac/bin/gcc/libgpac.so.11
#14 0x0000555555563a7f in gpac_main ()
#15 0x00007ffff743b310 in __libc_start_call_main () at /usr/lib/libc.so.6
#16 0x00007ffff743b3c1 in __libc_start_main_impl () at /usr/lib/libc.so.6
#17 0x0000555555559dc5 in _start ()

Impact

This is capable of causing crashes and allowing modification of stack memory which could lead to remote code execution.

We are processing your report and will contact the gpac team within 24 hours. 2 months ago
We have contacted a member of the gpac team and are waiting to hear back 2 months ago
gpac/gpac maintainer
2 months ago

Maintainer


https://github.com/gpac/gpac/issues/2182

We have sent a follow up to the gpac team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the gpac team. We will try again in 10 days. a month ago
gpac/gpac maintainer validated this vulnerability a month ago
Callum Thomson has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer confirmed that a fix has been merged on 75b371 a month ago
The fix bounty has been dropped
rtsp_common.c#L86 has been validated
to join this conversation