CVE-2007-6631 Information

Description

Multiple buffer overflows in LScube libnemesi 0.6.4-rc1 and earlier allow remote attackers to execute arbitrary code via (1) a reply that begins with a long version string which triggers an overflow in handle_rtsp_pkt in rtsp_handlers.c; long headers that trigger overflows in (2) send_pause_request (3) send_play_request (4) send_setup_request or (5) send_teardown_request in rtsp_send.c as demonstrated by the Content-Base header; or a long Transport header which triggers an overflow in (6) get_transport_str_sctp (7) get_transport_str_tcp or (8) get_transport_str_udp in rtsp_transport.c.

Reference

http://aluigi.altervista.org/adv/libnemesibof-adv.txt http://aluigi.org/poc/libnemesibof.zip http://osvdb.org/42820 http://osvdb.org/42821 http://osvdb.org/42822 http://securityreason.com/securityalert/3513 http://www.securityfocus.com/archive/1/485575/100/0/threaded http://www.securityfocus.com/bid/27048 http://www.vupen.com/english/advisories/2008/0010