Headline

CVE-2022-37237: [BUG]: Server will crash when client send RTMP poc messages · Issue #1839 · ZLMediaKit/ZLMediaKit

An attacker can send malicious RTMP requests to make the ZLMediaKit server crash remotely. Affected version is below commit 7d8b212a3c3368bc2f6507cb74664fc419eb9327.

2 years ago

CVE

Open in Source

#ubuntu #git #intel

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

50u1w4y opened this issue

Jul 29, 2022

· 8 comments

Comments

现象描述

After cmake(Debug version) and run with ./MediaServer(maybe add sudo to support port below 1024), a client can send RTMP requests to make the server crash.

如何复现?

git clone from github with git clone --depth 1 https://github.com/ZLMediaKit/ZLMediaKit.git and git submodule update --init and cmake it.
just run server using command [sudo] ./MediaServer with default config.ini
using ffmpeg to push flow or not (say crash in both situation)
run sender.py with poc

相关日志或截图展开查看详细日志

when not push flow:

when push flow:

配置展开查看详细配置

default config(after cmake and changed nothing) 各种环境信息

git commit hash: d0f0c69
操作系统及版本: Ubuntu 20.04
硬件信息: Intel
其他需要补充的信息

Can you run gdb to debug MediaServer ?

Is this right ?

$ python ./sender.py 127.0.0.1 1935 ./poc sendbuf len is 3664 going to send 1537 bytes data Traceback (most recent call last): File "./sender.py", line 40, in <module> while len(n) > 0: NameError: name ‘n’ is not defined

Of course not right. It seems that the first time receive timeout.

Yes, in gdb the server will receive something like Thread 4 “event poller 0” received signal SIGSEGV, Segmentation fault.

You can past the snap of bt in gdb.

can’t you reproduce that?

You can try run again, this error is because the receive timeout, maybe the network stucks.

The client is just sent the handshake packet(C0+C1), the server should return S0+S1+S2 now, but receive timeout.

xia-chu added a commit that referenced this issue

Jul 29, 2022

Yes, i reproduce this; and fix the bug.

Thanks for your feedback!

2 participants