Vulnerabilities > CVE-2007-6149 - Numeric Errors vulnerability in Adobe Connect Enterprise Server and Flash Media Server 2

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

adobe

CWE-189

critical

nessus

NVD

Published: 2008-02-13

Updated: 2017-07-29

Summary

Multiple integer overflows in the Edge server in Adobe Flash Media Server 2 before 2.0.5, and Connect Enterprise Server 6 before SP3, allow remote attackers to execute arbitrary code via a Real Time Message Protocol (RTMP) message with a crafted integer field that is used for allocation.

Vulnerable Configurations

Part	Description	Count
Application	Adobe Adobe Connect Enterprise Server * Adobe Flash Media Server 2 *	2

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Nessus

NASL family	Gain a shell remotely
NASL id	ADOBE_FMS_2_0_5.NASL
description	The remote host is running Adobe
last seen	2020-06-01
modified	2020-06-02
plugin id	31096
published	2008-02-15
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/31096
title	Adobe Flash Media Server < 2.0.5 Multiple Remote Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(31096); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2007-6431", "CVE-2007-6148", "CVE-2007-6149"); script_bugtraq_id(27762); script_xref(name:"Secunia", value:"28946"); script_name(english:"Adobe Flash Media Server < 2.0.5 Multiple Remote Vulnerabilities"); script_summary(english:"Grabs version from a Server response header"); script_set_attribute(attribute:"synopsis", value: "The remote Flash media server is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running Adobe's Flash Media Server, an application server for Flash-based applications. The Edge server component included with the version of Flash Media Server installed on the remote host contains several integer overflow and memory corruption errors that can be triggered when parsing specially crafted Real Time Message Protocol (RTMP) packets. An unauthenticated, remote attacker can leverage these issues to crash the affected service or execute arbitrary code with SYSTEM-level privileges (under Windows), potentially resulting in a complete compromise of the affected host." ); # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=662 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1769e068" ); # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=663 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?401cb634" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Feb/174" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Feb/178" ); script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb08-03.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to Flash Media Server 2.0.5 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/02/15"); script_set_attribute(attribute:"patch_publication_date", value: "2008/02/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flash_media_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("adobe_fms_detect.nasl"); script_require_ports("Services/rtmp", 1935, 19350); script_require_keys("rtmp/adobe_fms"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_kb_item_or_exit("Services/rtmp"); version = get_kb_item_or_exit("rtmp/" + port + "/adobe_fms/version"); source = get_kb_item_or_exit("rtmp/" + port + "/adobe_fms/version_source"); if (ver_compare(ver:version, fix:"2.0.5") == -1) { if (report_verbosity) { report = '\n' + 'Version source : ' + source + '\n' + 'Installed version : ' + version + '\n' + 'Fixed version : 2.0.5\n'; security_hole(port:port, extra:report); } else security_hole(port); } else exit(0, "The Adobe Flash Media Server version "+version+" on port "+port+" is not affected.");

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 27762 CVE(CAN) ID: CVE-2007-6149,CVE-2007-6148,CVE-2007-6431 Adobe Flash Media Server是基于Flash应用程序的服务器，可提供运行交互式应用及音频视频流的环境。 Flash Media Server包含有名为Edge Server的组件，该组件在TCP 1935和19350端口监听入站连接。Edge server组件负责解析RTMP消息的代码存在多个整数溢出漏洞。如果用户受骗连接到了恶意服务器的话，该组件直接从报文取得了32位值并将其用于计算所要分配动态缓冲区的字节数。这会触发整数溢出，之后导致堆溢出。此外Edge Server组件组件在解析RTMP消息时特定的请求序列会导致使用已经释放的内存区域，这可能导致执行任意代码。 Adobe Flash Media Server <= 2.0.4 Adobe Connect Enterprise Server <= 6 SP2 Adobe ----- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://download.macromedia.com/pub/flashmediaserver/updates/2_0_5/win/flashmediaserver2.zip target=_blank>http://download.macromedia.com/pub/flashmediaserver/updates/2_0_5/win/flashmediaserver2.zip</a>
id	SSV:2914
last seen	2017-11-19
modified	2008-02-21
published	2008-02-21
reporter	Root
title	Adobe Flash Media Server多个远程溢出漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Seebug

References