Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requests containing overly large User-Agent fields. This could allow an unauthenticated, remote attacker to cause a denial-of-service condition.
Apple's QuickTime and Darwin Streaming Server is software which provides integrated distribution of various forms of digital content. Such content can be delivered over a network using Real-Time Transport Protocol (RTP) and Real-Time Streaming Protocol (RTSP).
The RTSP provides a DESCRIBE method which according to RFC 2326 "retrieves the description of a presentation or media object identified by the request URL from a server. It may use the Accept header to specify the description formats that the client understands. The server responds with a description of the requested resource. The DESCRIBE reply-response pair constitutes the media initialization phase of RTSP."
An unauthenticated, remote attacker could prevent legitimate users from accessing the streamed content.
This vulnerability was reported by iDefense.
This document was written by Damon Morda.
|Date First Published:||2004-02-25|
|Date Last Updated:||2004-03-15 13:49 UTC|