Luigi Auriemma has reported some vulnerabilities in Feng, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system.

1) Two boundary errors exist within the "RTSP_valid_response_msg()" function in rtsp/RTSP_state_machine.c. These can be exploited to cause stack-based buffer overflows via specially crafted RTSP response messages.

Successful exploitation may allow execution of arbitrary code.

2) An integer overflow error exists within the "RTSP_remove_msg()" function in rtsp/RTSP_lowlevel.c. This can be exploited to crash an affected server via a specially crafted RTP packet.

3) Multiple NULL pointer dereference errors exist within the "parse_transport_header()" function in rtsp/RTSP_setup.c. These can be exploited to crash an affected server via specially crafted RTSP transport headers.

4) A NULL pointer dereference error exists within the "parse_play_time_range()" function in rtsp/RTSP_play.c. This can be exploited to crash an affected server via an RTSP range header containing a "time" field without a '=' character.

5) A NULL pointer dereference error exists within the "log_user_agent()" function in rtsp/RTSP_utils.c. This can be exploited to crash an affected server via a "User-Agent" field without a terminating '\n' character.

The vulnerabilities are reported in version 0.1.15. Other versions may also be affected.

Solution
The vendor will reportedly release a fixed version soon. Restrict access to trusted users only.

Provided and/or discovered by
Luigi Auriemma

Changelog
Further details available in Customer Area

Original Advisory
http://aluigi.altervista.org/adv/fengulo-adv.txt

Deep Links
Links available in Customer Area