iDEFENSE Security Advisory 02.23.04 Darwin Streaming Server Remote Denial of Service Vulnerability http://www.idefense.com/application/poi/display?id=75 February 23, 2004 I. BACKGROUND Darwin Streaming Server is server technology allowing for the streaming of QuickTime data to clients across the Internet using the industry standard RTP and RTSP protocols. II. DESCRIPTION Exploitation of a flaw in Apple Computer Inc's Darwin Streaming Server allows unauthenticated remote attackers to prevent legitimate usage. The vulnerability specifically occurs upon parsing of DESCRIBE requests with specially crafted User-Agent fields. Making a request with a User-Agent field containing over 255 characters causes an assert error in CommonUtilitiesLib/StringFormatter.h line 97: virtual void BufferIsFull(char* /*inBuffer*/, UInt32/*inBufferLen*/) { Assert(0); } Successful exploitation disrupts further content streaming capabilities. III. ANALYSIS Any remote unauthenticated attacker can exploit the vulnerability thereby preventing legitimate users from accessing streamed content. iDEFENSE has obtained proof of concept exploit code for this vulnerability. IV. DETECTION iDEFENSE has confirmed that the latest version of Darwin Streaming Server, version 4.1.3, is vulnerable. V. VENDOR RESPONSE This is fixed in Security Update 2004-02-23 available for Mac OS X 10.3.2 Server and Mac OS X 10.2.8 Server. The update and further information is available from Apple's Support site at: http://www.apple.com/support/ VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the CAN-2004-0169 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE December 8, 2003 Exploit acquired by iDEFENSE January 29, 2004 iDEFENSE clients notified January 29, 2004 Initial vendor notification January 29, 2004 Vendor response received February 23, 2004 Coordinated public disclosure