Vulnerabilities > CVE-2007-5825 - USE of Externally-Controlled Format String vulnerability in Firefly Media Server 0.2.4

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
firefly
CWE-134
nessus

Summary

Format string vulnerability in the ws_addarg function in webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to execute arbitrary code via a stats method action to /xml-rpc with format string specifiers in the (1) username or (2) password portion of base64-encoded data on the "Authorization: Basic" HTTP header line.

Vulnerable Configurations

Part Description Count
Application
Firefly
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Nessus

  • NASL familyGain a shell remotely
    NASL idFIREFLY_FORMAT_STRING.NASL
    descriptionThe remote host is running Firefly Media Server, also known as mt-daapd, a media streaming server. The version of Firefly Media Server installed on the remote host apparently fails to sanitize user-supplied input before using it as the format string in a call to
    last seen2020-06-01
    modified2020-06-02
    plugin id27619
    published2007-11-03
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27619
    titleFirefly Media Server webserver.c ws_addarg Function /xml-rpc Authorization Header Remote Format String
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27619);
      script_version("1.21");
    
      script_cve_id("CVE-2007-5825");
      script_bugtraq_id(26310);
    
      script_name(english:"Firefly Media Server webserver.c ws_addarg Function /xml-rpc Authorization Header Remote Format String");
      script_summary(english:"Sends a specially crafted Authorization request header");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by a format string vulnerability." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running Firefly Media Server, also known as
    mt-daapd, a media streaming server. 
    
    The version of Firefly Media Server installed on the remote host
    apparently fails to sanitize user-supplied input before using it as
    the format string in a call to 'vsnprintf'' in 'src/webserver.c'. 
    Using a specially crafted HTTP Authorization request header, an
    unauthenticated, remote attacker can leverage this issue to crash the
    affected service or to execute arbitrary code on the affected system,
    subject to the privileges under which the service operates." );
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/483209/30/0/threaded" );
      # http://sourceforge.net/project/shownotes.php?release_id=548679&group_id=98211
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bd56a4e9" );
     script_set_attribute(attribute:"solution", value:
    "Either disable the service or upgrade to Firefly Media Server 0.2.4.1
    or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(134);
     script_set_attribute(attribute:"plugin_publication_date", value: "2007/11/03");
     script_cvs_date("Date: 2018/11/15 20:50:22");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe",value:"cpe:/a:firefly:media_server");
    script_end_attributes();
    
    
      script_category(ACT_MIXED_ATTACK);
      script_family(english:"Gain a shell remotely");
    
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("http_version.nasl");
      script_require_ports("Services/www", 3689);
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:3689, embedded: 1);
    
    # Make sure it looks like Firefly / mt-daapd.
    banner = get_http_banner(port:port);
    if (!banner || "mt-daapd/" >!< banner) exit(0);
    
    
    # Try to exploit the issue.
    if (safe_checks())
    {
      auth2 = "Basic";
    }
    else
    {
      if (report_paranoia < 2) exit(0);
    
      exploit = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n";
      auth2 = string("Basic ", base64(str:exploit+":"+SCRIPT_NAME));
    }
    
    url = "/xml-rpc?method=stats";
    w = http_send_recv3(method:"GET", item:url, port:port,
      add_headers: make_array("Authorization", auth2));
    
    if (isnull(w))
     res = NULL;
    else
     res = strcat(w[0], w[1], '\r\n', w[2]);
    
    
    # If safe checks are enabled...
    if (safe_checks())
    {
      # there's a problem if we see a response with an invalid argument error.
      if (!isnull(res) && "<br>Error: Invalid argument" >< res) security_hole(port);
    }
    # Otherwise...
    else
    {
      # There's a problem if the server is down.
      w = http_send_recv3(method:"GET", item:url, port:port);
      if (isnull(w)) security_hole(port);
    }
    
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200712-18.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200712-18 (Multi-Threaded DAAP Daemon: Multiple vulnerabilities) nnp discovered multiple vulnerabilities in the XML-RPC handler in the file webserver.c. The ws_addarg() function contains a format string vulnerability, as it does not properly sanitize username and password data from the
    last seen2020-06-01
    modified2020-06-02
    plugin id29815
    published2007-12-31
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29815
    titleGLSA-200712-18 : Multi-Threaded DAAP Daemon: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200712-18.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29815);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-5824", "CVE-2007-5825");
      script_bugtraq_id(26310);
      script_xref(name:"GLSA", value:"200712-18");
    
      script_name(english:"GLSA-200712-18 : Multi-Threaded DAAP Daemon: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200712-18
    (Multi-Threaded DAAP Daemon: Multiple vulnerabilities)
    
        nnp discovered multiple vulnerabilities in the XML-RPC handler in the
        file webserver.c. The ws_addarg() function contains a format string
        vulnerability, as it does not properly sanitize username and password
        data from the 'Authorization: Basic' HTTP header line (CVE-2007-5825).
        The ws_decodepassword() and ws_getheaders() functions do not correctly
        handle empty Authorization header lines, or header lines without a ':'
        character, leading to NULL pointer dereferences (CVE-2007-5824).
      
    Impact :
    
        A remote attacker could send specially crafted HTTP requests to the web
        server in the Multi-Threaded DAAP Daemon, possibly leading to the
        execution of arbitrary code with the privileges of the user running the
        web server or a Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200712-18"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Multi-Threaded DAAP Daemon users should upgrade to the latest
        version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=media-sound/mt-daapd-0.2.4.1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(20, 134);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mt-daapd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/12/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-sound/mt-daapd", unaffected:make_list("ge 0.2.4.1"), vulnerable:make_list("lt 0.2.4.1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Multi-Threaded DAAP Daemon");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1597.NASL
    descriptionThree vulnerabilities have been discovered in the mt-daapd DAAP audio server (also known as the Firefly Media Server). The Common Vulnerabilities and Exposures project identifies the following three problems : - CVE-2007-5824 Insufficient validation and bounds checking of the Authorization: HTTP header enables a heap buffer overflow, potentially enabling the execution of arbitrary code. - CVE-2007-5825 Format string vulnerabilities in debug logging within the authentication of XML-RPC requests could enable the execution of arbitrary code. - CVE-2008-1771 An integer overflow weakness in the handling of HTTP POST variables could allow a heap buffer overflow and potentially arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id33178
    published2008-06-16
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33178
    titleDebian DSA-1597-2 : mt-daapd - multiple vulnerabilities