0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699 Multiple Vulnerabilities
========================================================================= Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699 Multiple Vulnerabilities ========================================================================= ####################################################################### Luigi Auriemma Application: Firefly Media Server (mt-daapd) http://www.fireflymediaserver.org Versions: <= 2.4.1 and SVN <= 1699 Platforms: *nix, Windows, Mac and others Bugs: A] partial directory traversal on Windows B] authentication bypass on Windows C] duplicated HTTP parameter Denial of Service D] CPU at 100% with partial queries Exploitation: remote Date: 03 Dec 2007 Author: Luigi Auriemma ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Firefly Media Server (aka mt-daapd) is an open source server for the DAAP protocol used by Roku SoundBridge and iTunes. ####################################################################### ======= 2) Bugs ======= ----------------------------------------- A] partial directory traversal on Windows ----------------------------------------- Using 3 dots in the HTTP query is possible to get a specific file in the parent directory of the Firefly admin-root folder. That means that an attacker can download the mt-daapd.conf file which contains all the configuration of the server or other files like firefly.log and so on. If the server is protected by password is enough to use the bug B below which allows any external unauthenticated attacker to download these files (in short GET /.../mt-daapd.conf works only if no password is set, otherwise you must use GET .../mt-daapd.conf or the other methods explained there). In my tests was possible to go down only of one directory, that's why I consider it "partial". This problem is exploitable only versus Windows servers. ----------------------------------- B] authentication bypass on Windows ----------------------------------- The usage of a dot '.' or a backslash '\' before the URI (at the place of the usual /) or just nothing (GET file.txt HTTP/1.0) allows any unauthenticated attacker to download the files from the admin-root folder in case the server is protected by password. Although the admin-root folder doesn't contain sensitive informations it can become very dangerous if used with bug A as written above. Note that the trick works only for the "real" files and not for the special ones like xml-rpc and the DAAP commands. This problem is exploitable only versus Windows servers. ---------------------------------------------- C] duplicated HTTP parameter Denial of Service ---------------------------------------------- It's possible to terminate the server remotely simply using two or more HTTP parameters with the same name (like two Host or User-Agent or just any other string). ----------------------------------- D] CPU at 100% with partial queries ----------------------------------- Not really dangerous as the above bugs anyway the server's CPU goes to 100% while receiving the queries, which means that anyone can just connect to it sending only the first line (GET / HTTP/1.0) to cause this effect which will continue forever also when the attacker disconnects from it. ####################################################################### =========== 3) The Code =========== Example queries to send with netcat: http://www.inj3ct0r.com/sploits/9076.zip nc localhost 9999 -v -v < file.txt ####################################################################### ====== 4) Fix ====== The bugs will be fixed in the next versions. ####################################################################### # 0day.today [2024-07-08] #