Vulnerabilities > CVE-2008-1771 - Numeric Errors vulnerability in Fireflymediaserver 0.2.4.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Integer overflow in the ws_getpostvars function in Firefly Media Server (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a large Content-Length.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_86A4D810188411DDA9140016179B2DD5.NASL description FrSIRT reports : A vulnerability has been identified in mt-daapd which could be exploited by remote attackers to cause a denial of service or compromise an affected system. This issue is caused by a buffer overflow error in the ws_getpostvars() function when processing a negative Content-Length : header value, which could be exploited by remote unauthenticated attackers to crash an affected application or execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 32146 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32146 title FreeBSD : mt-daapd -- integer overflow (86a4d810-1884-11dd-a914-0016179b2dd5) NASL family Gain a shell remotely NASL id FIREFLY_CONTENT_OVERFLOW.NASL description The remote host is running Firefly Media Server, also known as mt-daapd, a media streaming server. The version of Firefly Media Server installed on the remote host apparently fails to sanitize user-supplied Content-Length field before using it to the call to last seen 2020-06-01 modified 2020-06-02 plugin id 32031 published 2008-04-23 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32031 title Firefly Media Server ws_getpostvars Function Content-Length Header HTTP Request Handling Overflow NASL family Fedora Local Security Checks NASL id FEDORA_2008-4126.NASL description - Thu May 15 2008 W. Michael Petullo <mike[at]flyn.org> - 0.2.4.2-2 - Bump epoch. - Wed May 14 2008 W. Michael Petullo <mike[at]flyn.org> - 0.2.4.2-1 - New upstream version. - Remove check-input patch; it last seen 2020-06-01 modified 2020-06-02 plugin id 32387 published 2008-05-20 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32387 title Fedora 9 : mt-daapd-0.2.4.2-2.fc9 (2008-4126) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3250.NASL description - Bug #442688 - CVE-2008-1771 mt-daapd: integer overflow allowing remote DoS and possibly arbitrary code execution Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 32041 published 2008-04-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32041 title Fedora 8 : mt-daapd-0.9-0.4.1696.fc8 (2008-3250) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1597.NASL description Three vulnerabilities have been discovered in the mt-daapd DAAP audio server (also known as the Firefly Media Server). The Common Vulnerabilities and Exposures project identifies the following three problems : - CVE-2007-5824 Insufficient validation and bounds checking of the Authorization: HTTP header enables a heap buffer overflow, potentially enabling the execution of arbitrary code. - CVE-2007-5825 Format string vulnerabilities in debug logging within the authentication of XML-RPC requests could enable the execution of arbitrary code. - CVE-2008-1771 An integer overflow weakness in the handling of HTTP POST variables could allow a heap buffer overflow and potentially arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 33178 published 2008-06-16 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/33178 title Debian DSA-1597-2 : mt-daapd - multiple vulnerabilities
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28860 CVE(CAN) ID: CVE-2008-1771 Firefly是Roku SoundBridge和iTunes所使用的开源媒体服务器。 Firefly的src/webserver.c文件的ws_getpostvars()函数中存在堆溢出漏洞,如果远程攻击者向服务区发送了带有负数Content-Length值的POST请求的话就可以触发这个溢出,导致拒绝服务或执行任意指令。 以下是src/webserver.c文件中的漏洞代码: 707 int ws_getpostvars(WS_CONNINFO *pwsc) { 708 char *content_length; 709 unsigned char *buffer; 710 uint32_t length; 711 uint32_t ms; .... 715 content_length = ws_getarg(&pwsc->request_headers,"Content-Length"); .... 722 length=atoi(content_length); 723 ws_dprintf(L_WS_DBG,"Thread %d: Post var length: %d\n", 724 pwsc->threadno,length); 725 726 buffer=(unsigned char*)malloc(length+1); .... 739 if(!io_read_timeout(pwsc->hclient, buffer, &length, &ms)) { .... 757 758 if(!ws_getgetvars(pwsc,(char*)buffer)) { 759 /* assume error was set already */ 760 free(buffer); 761 ws_dprintf(L_WS_LOG,"Could not parse get vars\n"); 762 return FALSE; 763 } 764 765 free(buffer); 这里的相对变量为uint32_t类型的length,在715行content_length指向了用户在HTTP POST请求中所提供的Content-Length值,这个值在722行使用atoi转换为整数。由于长度类型为uint32_t,值-1会将length设置为UINT_MAX,然后使用这个长度值分配堆上空间,在malloc调用添加+ 1就会触发整数溢出。如果Content-Length: -1的话,传送给malloc的(UINT_MAX + 1)缓冲区大小为0,导致malloc分配可能的最小块,但不会失败。 在739行会对缓冲区执行定时的读取,src/io.c的io_read_timeout()函数结束对io_read的调用,将length字节数读到缓冲区,向length写回读字节的计数,因此可能出现堆溢出,导致在765行释放已破坏的缓冲区时服务器崩溃。 Firefly Media Server < 0.2.4.2 Firefly ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://sourceforge.net/project/showfiles.php?group_id=98211&package_id=105189&release_id=593465 target=_blank>http://sourceforge.net/project/showfiles.php?group_id=98211&package_id=105189&release_id=593465</a> |
| id | SSV:3207 |
| last seen | 2017-11-19 |
| modified | 2008-04-23 |
| published | 2008-04-23 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-3207 |
| title | Firefly媒体服务器畸形Content-Length字段堆溢出漏洞 |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241
- http://secunia.com/advisories/29917
- http://secunia.com/advisories/29919
- http://secunia.com/advisories/30661
- http://sourceforge.net/project/shownotes.php?release_id=593465&group_id=98211
- http://www.debian.org/security/2008/dsa-1597
- http://www.securityfocus.com/bid/28860
- http://www.securitytracker.com/id?1019908
- http://www.vupen.com/english/advisories/2008/1303/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41850
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00446.html