[Full-disclosure] Multiple vulnerabilities in Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699




#######################################################################

Luigi Auriemma

Application: Firefly Media Server (mt-daapd)
http://www.fireflymediaserver.org
Versions: <= 2.4.1 and SVN <= 1699
Platforms: *nix, Windows, Mac and others
Bugs: A] partial directory traversal on Windows
B] authentication bypass on Windows
C] duplicated HTTP parameter Denial of Service
D] CPU at 100% with partial queries
Exploitation: remote
Date: 03 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Firefly Media Server (aka mt-daapd) is an open source server for the
DAAP protocol used by Roku SoundBridge and iTunes.


#######################################################################

=======
2) Bugs
=======

-----------------------------------------
A] partial directory traversal on Windows
-----------------------------------------

Using 3 dots in the HTTP query is possible to get a specific file in
the parent directory of the Firefly admin-root folder.
That means that an attacker can download the mt-daapd.conf file which
contains all the configuration of the server or other files like
firefly.log and so on.

If the server is protected by password is enough to use the bug B below
which allows any external unauthenticated attacker to download these
files (in short GET /.../mt-daapd.conf works only if no password is
set, otherwise you must use GET .../mt-daapd.conf or the other methods
explained there).

In my tests was possible to go down only of one directory, that's why I
consider it "partial".

This problem is exploitable only versus Windows servers.


-----------------------------------
B] authentication bypass on Windows
-----------------------------------

The usage of a dot '.' or a backslash '\' before the URI (at the place
of the usual /) or just nothing (GET file.txt HTTP/1.0) allows any
unauthenticated attacker to download the files from the admin-root
folder in case the server is protected by password.
Although the admin-root folder doesn't contain sensitive informations
it can become very dangerous if used with bug A as written above.

Note that the trick works only for the "real" files and not for the
special ones like xml-rpc and the DAAP commands.

This problem is exploitable only versus Windows servers.


----------------------------------------------
C] duplicated HTTP parameter Denial of Service
----------------------------------------------

It's possible to terminate the server remotely simply using two or more
HTTP parameters with the same name (like two Host or User-Agent or just
any other string).


-----------------------------------
D] CPU at 100% with partial queries
-----------------------------------

Not really dangerous as the above bugs anyway the server's CPU goes to
100% while receiving the queries, which means that anyone can just
connect to it sending only the first line (GET / HTTP/1.0) to cause
this effect which will continue forever also when the attacker
disconnects from it.


#######################################################################

===========
3) The Code
===========


Example queries to send with netcat:

http://aluigi.org/poc/fireflyz.zip

nc localhost 9999 -v -v < file.txt


#######################################################################

======
4) Fix
======


The bugs will be fixed in the next versions.


#######################################################################


---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
    (Focus-Microsoft)
  • ~~~~~~~~~~~~~~ CANNOT FIND ~~~~~~~~~~~~~~
    ... acrobat cannot find external windows handler ... activesync cannot find exchange server ... aol internet explorer cannot find server ... brother network scanner cannot find pc ...
    (sci.geo.fluids)
  • ~~~~~~~~~~~~~~~ CANNOT FIND ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ... cannot find server or dns error ... windows cannot find null ... windows cannot find the network path ... cannot find internet explorer on computer ...
    (comp.protocols.snmp)
  • Questions Relating to Administering Windows 2000 Server
    ... installed the network client on the target computer. ... Sarah has been attempting to install Windows 2000 ... Server for two days. ... Sarah has checked the cables and hard drives. ...
    (microsoft.public.cert.exam.mcse)