EmuliveVuln.txt

2004-09-21T00:00:00
ID PACKETSTORM:34434
Type packetstorm
Reporter James Bercegay
Modified 2004-09-21T00:00:00

Description

                                        
                                            `##########################################################  
# GulfTech Security Research September 20th, 2004  
##########################################################  
# Vendor : Emulive Imaging Corporation  
# URL : http://www.emulive.com  
# Version : EmuLive Server4 Commerce Edition Build 7560  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
Description:  
Server4 is real-time media broadcasting software that works   
in conjunction with Emulive producer software to create   
digital television-like channels on the Internet. To web   
browsers, Server4 appears as a standard web server. Visitors   
to a Server4 system can browse and view available channels,   
chat with other users, remotely control cameras, remotely   
control devices, create user accounts, extend user accounts,   
purchase time and access controlled subscriptions, purchase   
one-to-one exclusive conferences, tip channel hosts, purchase   
additional time and much much more.  
  
  
  
Unauthorized Admin Access:  
EmuLive Server4, like a lot of software comes with built in  
remote administration features. The administration console  
in Server4 lets server admins manage such data as their live  
statistics, affiliate management, and eCommerce reports. This  
however can easily be accessed by an attacker by requesting  
the following url  
  
http://localhost//PUBLIC/ADMIN/INDEX.HTM  
  
notice the "//" after the host info. Normally when an admin  
successfully logs in, there is a long session ID in between  
those two slashes. So, we can now do anything an admin can  
by using a little slash ;) Another interesting thing about  
this particular issue, is after I requested an admin page  
from a remote machine with a null session id, it gave me the   
legitimate session credentials that were gained on another   
machine, automatically!  
  
  
  
Remote Server Crash:  
EmuLive Server4 is a very nice multimedia broadcasting   
application. One very useful feature is that it allows remote   
connections for production software on tcp port 66. This is   
meant for EmuLive Producer, which is a audio/video encoder   
software product that works in conjunction with server4 to   
create Interactive digital television-like channels on the   
Internet. There lies a flaw in the way Server4 handles the  
connections made to this port. For example, an attacker can  
input a quick sequence of eight or more sets of carriage  
returns and crash the server hard. In the tests that I did  
it froze up my WinXP Pro machine so bad that I was forced to  
press the reset button as it was the only thing that worked.  
I am not sure if this issue is remotely exploitable for any  
thing other than killing the server, as my machine died  
immediately after the death packet was sent, so I could not  
read any error messages or responses.  
  
  
  
Related Info:  
The original advisory and POC can be found at the following location   
http://www.gulftech.org/?node=research&article_id=00051-09202004  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
  
`