{"cve": [{"lastseen": "2017-07-29T11:22:22", "bulletinFamily": "NVD", "description": "Multiple integer overflows in the Edge server in Adobe Flash Media Server 2 before 2.0.5, and Connect Enterprise Server 6 before SP3, allow remote attackers to execute arbitrary code via a Real Time Message Protocol (RTMP) message with a crafted integer field that is used for allocation.", "modified": "2017-07-28T21:34:03", "published": "2008-02-13T16:00:00", "id": "CVE-2007-6149", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6149", "title": "CVE-2007-6149", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:25", "bulletinFamily": "software", "description": "iDefense Security Advisory 02.12.08\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nFeb 12, 2008\r\n\r\nI. BACKGROUND\r\n\r\nAdobe Flash Media Server is an application server for Flash based\r\napplications. It provides an environment to run interactive media\r\napplications, as well as audio and video streaming functionality. More\r\ninformation can be found at the vendor's web site at the following URL.\r\n\r\nhttp://www.adobe.com/products/flashmediaserver/\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of multiple integer overflow vulnerabilities in\r\nAdobe Systems Inc.'s Flash Media Server 2 could allow an\r\nunauthenticated attacker to execute arbitrary code with SYSTEM\r\nprivileges.\r\n\r\nThe Flash Media Server contains a component called the Edge server,\r\nwhich listens on TCP ports 1935 and 19350 for incoming connections.\r\nThis port is the primary port used for client/server communication. The\r\nEdge server speaks the Real Time Message Protocol, or RTMP, a\r\nproprietary binary protocol developed by Adobe.\r\n\r\nThese vulnerabilities exist within the code responsible for parsing RTMP\r\nmessages. In each case, a 32-bit value taken directly from the packet is\r\nused in an arithmetic operation to calculate the number of bytes to\r\nallocate for a dynamic buffer. This operation can overflow, which later\r\nleads to a heap overflow.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of these vulnerabilities results in the execution of\r\narbitrary code with SYSTEM level privileges. In order to exploit these\r\nvulnerabilities, an attacker only needs the ability to connect to the\r\ntarget server on TCP port 1935 or 19350.\r\n\r\nUnsuccessful attempts at exploitation will likely result in the Edge\r\nserver crashing. After crashing, the Edge server will be restarted\r\nautomatically. This gives an attacker an unlimited number of attempts\r\nat exploitation.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of these vulnerabilities in Flash\r\nMedia Server 2 version 2.0.4 on Windows. Previous versions, as well as\r\nthe Linux version, may also be affected.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any workarounds for this issue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nAdobe has addressed these vulnerabilities by releasing version 2.0.5 of\r\nFlash Media Server. For more information, consult their bulletin at the\r\nfollowing URL.\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb08-03.html\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-6149 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n11/27/2007 Initial vendor notification\r\n11/27/2007 Initial vendor response\r\n02/12/2008 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThese vulnerabilities were reported to VeriSign iDefense by Sebastian\r\nApelt.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2008 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "modified": "2008-02-13T00:00:00", "published": "2008-02-13T00:00:00", "id": "SECURITYVULNS:DOC:19115", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19115", "title": "iDefense Security Advisory 02.12.08: Adobe Flash Media Server 2 Multiple Integer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:10:43", "bulletinFamily": "scanner", "description": "The remote host is running Adobe's Flash Media Server, an application server for Flash-based applications. \n\nThe Edge server component included with the version of Flash Media Server installed on the remote host contains several integer overflow and memory corruption errors that can be triggered when parsing specially crafted Real Time Message Protocol (RTMP) packets. An unauthenticated, remote attacker can leverage these issues to crash the affected service or execute arbitrary code with SYSTEM-level privileges (under Windows), potentially resulting in a complete compromise of the affected host.", "modified": "2018-11-15T00:00:00", "id": "ADOBE_FMS_2_0_5.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=31096", "published": "2008-02-15T00:00:00", "title": "Adobe Flash Media Server < 2.0.5 Multiple Remote Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(31096);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2007-6431\", \"CVE-2007-6148\", \"CVE-2007-6149\");\n script_bugtraq_id(27762);\n script_xref(name:\"Secunia\", value:\"28946\");\n\n script_name(english:\"Adobe Flash Media Server < 2.0.5 Multiple Remote Vulnerabilities\");\n script_summary(english:\"Grabs version from a Server response header\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Flash media server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Adobe's Flash Media Server, an application\nserver for Flash-based applications. \n\nThe Edge server component included with the version of Flash Media\nServer installed on the remote host contains several integer overflow\nand memory corruption errors that can be triggered when parsing\nspecially crafted Real Time Message Protocol (RTMP) packets. An\nunauthenticated, remote attacker can leverage these issues to crash the\naffected service or execute arbitrary code with SYSTEM-level\nprivileges (under Windows), potentially resulting in a complete\ncompromise of the affected host.\" );\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=662\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1769e068\" );\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=663\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?401cb634\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2008/Feb/174\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2008/Feb/178\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb08-03.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Flash Media Server 2.0.5 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(189, 399);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2008/02/12\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_media_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"adobe_fms_detect.nasl\");\n script_require_ports(\"Services/rtmp\", 1935, 19350);\n script_require_keys(\"rtmp/adobe_fms\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_kb_item_or_exit(\"Services/rtmp\");\nversion = get_kb_item_or_exit(\"rtmp/\" + port + \"/adobe_fms/version\");\nsource = get_kb_item_or_exit(\"rtmp/\" + port + \"/adobe_fms/version_source\");\n\nif (ver_compare(ver:version, fix:\"2.0.5\") == -1)\n{\n if (report_verbosity)\n {\n report = \n '\\n' +\n 'Version source : ' + source +\n '\\n' +\n 'Installed version : ' + version +\n '\\n' +\n 'Fixed version : 2.0.5\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(0, \"The Adobe Flash Media Server version \"+version+\" on port \"+port+\" is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T21:47:03", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 27762\r\nCVE(CAN) ID: CVE-2007-6149,CVE-2007-6148,CVE-2007-6431\r\n\r\nAdobe Flash Media Server\u662f\u57fa\u4e8eFlash\u5e94\u7528\u7a0b\u5e8f\u7684\u670d\u52a1\u5668\uff0c\u53ef\u63d0\u4f9b\u8fd0\u884c\u4ea4\u4e92\u5f0f\u5e94\u7528\u53ca\u97f3\u9891\u89c6\u9891\u6d41\u7684\u73af\u5883\u3002\r\n\r\nFlash Media Server\u5305\u542b\u6709\u540d\u4e3aEdge Server\u7684\u7ec4\u4ef6\uff0c\u8be5\u7ec4\u4ef6\u5728TCP 1935\u548c19350\u7aef\u53e3\u76d1\u542c\u5165\u7ad9\u8fde\u63a5\u3002Edge server\u7ec4\u4ef6\u8d1f\u8d23\u89e3\u6790RTMP\u6d88\u606f\u7684\u4ee3\u7801\u5b58\u5728\u591a\u4e2a\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5982\u679c\u7528\u6237\u53d7\u9a97\u8fde\u63a5\u5230\u4e86\u6076\u610f\u670d\u52a1\u5668\u7684\u8bdd\uff0c\u8be5\u7ec4\u4ef6\u76f4\u63a5\u4ece\u62a5\u6587\u53d6\u5f97\u4e8632\u4f4d\u503c\u5e76\u5c06\u5176\u7528\u4e8e\u8ba1\u7b97\u6240\u8981\u5206\u914d\u52a8\u6001\u7f13\u51b2\u533a\u7684\u5b57\u8282\u6570\u3002\u8fd9\u4f1a\u89e6\u53d1\u6574\u6570\u6ea2\u51fa\uff0c\u4e4b\u540e\u5bfc\u81f4\u5806\u6ea2\u51fa\u3002\r\n\r\n\u6b64\u5916Edge Server\u7ec4\u4ef6\u7ec4\u4ef6\u5728\u89e3\u6790RTMP\u6d88\u606f\u65f6\u7279\u5b9a\u7684\u8bf7\u6c42\u5e8f\u5217\u4f1a\u5bfc\u81f4\u4f7f\u7528\u5df2\u7ecf\u91ca\u653e\u7684\u5185\u5b58\u533a\u57df\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\n\nAdobe Flash Media Server <= 2.0.4\r\nAdobe Connect Enterprise Server <= 6 SP2\n Adobe\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://download.macromedia.com/pub/flashmediaserver/updates/2_0_5/win/flashmediaserver2.zip target=_blank>http://download.macromedia.com/pub/flashmediaserver/updates/2_0_5/win/flashmediaserver2.zip</a>", "modified": "2008-02-21T00:00:00", "published": "2008-02-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2914", "id": "SSV:2914", "title": "Adobe Flash Media Server\u591a\u4e2a\u8fdc\u7a0b\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}]}