Multiple buffer overflows in LScube libnemesi 0.6.4-rc1 and earlier allow remote attackers to execute arbitrary code via (1) a reply that begins with a long version string, which triggers an overflow in handle_rtsp_pkt in rtsp_handlers.c; long headers that trigger overflows in (2) send_pause_request, (3) send_play_request, (4) send_setup_request, or (5) send_teardown_request in rtsp_send.c, as demonstrated by the Content-Base header; or a long Transport header, which triggers an overflow in (6) get_transport_str_sctp, (7) get_transport_str_tcp, or (8) get_transport_str_udp in rtsp_transport.c.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://osvdb.org/42820 | vdb entry |
| http://www.securityfocus.com/archive/1/485575/100/0/threaded | mailing list |
| http://securityreason.com/securityalert/3513 | third party advisory |
| http://osvdb.org/42822 | vdb entry |
| http://www.vupen.com/english/advisories/2008/0010 | vdb entry |
| http://www.securityfocus.com/bid/27048 | exploit vdb entry patch |
| http://osvdb.org/42821 | vdb entry |
| http://aluigi.altervista.org/adv/libnemesibof-adv.txt | |
| http://aluigi.org/poc/libnemesibof.zip |