Vulnerabilities > CVE-2007-6148 - Resource Management Errors vulnerability in Adobe Connect Enterprise Server and Flash Media Server 2

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
adobe
CWE-399
critical
nessus

Summary

Use-after-free vulnerability in the Edge server in Adobe Flash Media Server 2 before 2.0.5, and Connect Enterprise Server 6 before SP3, allows remote attackers to execute arbitrary code via an unspecified sequence of Real Time Message Protocol (RTMP) requests.

Vulnerable Configurations

Part Description Count
Application
Adobe
2

Common Weakness Enumeration (CWE)

Nessus

NASL familyGain a shell remotely
NASL idADOBE_FMS_2_0_5.NASL
descriptionThe remote host is running Adobe
last seen2020-06-01
modified2020-06-02
plugin id31096
published2008-02-15
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/31096
titleAdobe Flash Media Server < 2.0.5 Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(31096);
  script_version("1.21");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2007-6431", "CVE-2007-6148", "CVE-2007-6149");
  script_bugtraq_id(27762);
  script_xref(name:"Secunia", value:"28946");

  script_name(english:"Adobe Flash Media Server < 2.0.5 Multiple Remote Vulnerabilities");
  script_summary(english:"Grabs version from a Server response header");

  script_set_attribute(attribute:"synopsis", value:
"The remote Flash media server is affected by multiple vulnerabilities." );
  script_set_attribute(attribute:"description", value:
"The remote host is running Adobe's Flash Media Server, an application
server for Flash-based applications. 

The Edge server component included with the version of Flash Media
Server installed on the remote host contains several integer overflow
and memory corruption errors that can be triggered when parsing
specially crafted Real Time Message Protocol (RTMP) packets.  An
unauthenticated, remote attacker can leverage these issues to crash the
affected service or execute arbitrary code with SYSTEM-level
privileges (under Windows), potentially resulting in a complete
compromise of the affected host." );
  # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=662
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1769e068" );
  # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=663
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?401cb634" );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Feb/174" );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Feb/178" );
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb08-03.html" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to Flash Media Server 2.0.5 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(189, 399);
  script_set_attribute(attribute:"plugin_publication_date", value: "2008/02/15");
  script_set_attribute(attribute:"patch_publication_date", value: "2008/02/12");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_media_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");

  script_dependencies("adobe_fms_detect.nasl");
  script_require_ports("Services/rtmp", 1935, 19350);
  script_require_keys("rtmp/adobe_fms");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_kb_item_or_exit("Services/rtmp");
version = get_kb_item_or_exit("rtmp/" + port + "/adobe_fms/version");
source = get_kb_item_or_exit("rtmp/" + port + "/adobe_fms/version_source");

if (ver_compare(ver:version, fix:"2.0.5") == -1)
{
  if (report_verbosity)
  {
    report = 
      '\n' +
      'Version source : ' + source +
      '\n' +
      'Installed version : ' + version +
      '\n' +
      'Fixed version : 2.0.5\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, "The Adobe Flash Media Server version "+version+" on port "+port+" is not affected.");

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 27762 CVE(CAN) ID: CVE-2007-6149,CVE-2007-6148,CVE-2007-6431 Adobe Flash Media Server是基于Flash应用程序的服务器,可提供运行交互式应用及音频视频流的环境。 Flash Media Server包含有名为Edge Server的组件,该组件在TCP 1935和19350端口监听入站连接。Edge server组件负责解析RTMP消息的代码存在多个整数溢出漏洞。如果用户受骗连接到了恶意服务器的话,该组件直接从报文取得了32位值并将其用于计算所要分配动态缓冲区的字节数。这会触发整数溢出,之后导致堆溢出。 此外Edge Server组件组件在解析RTMP消息时特定的请求序列会导致使用已经释放的内存区域,这可能导致执行任意代码。 Adobe Flash Media Server &lt;= 2.0.4 Adobe Connect Enterprise Server &lt;= 6 SP2 Adobe ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://download.macromedia.com/pub/flashmediaserver/updates/2_0_5/win/flashmediaserver2.zip target=_blank>http://download.macromedia.com/pub/flashmediaserver/updates/2_0_5/win/flashmediaserver2.zip</a>
idSSV:2914
last seen2017-11-19
modified2008-02-21
published2008-02-21
reporterRoot
titleAdobe Flash Media Server多个远程溢出漏洞