[UPH-07-03] Firefly Media Server remote format string vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[UPH-07-02]
UnprotectedHex.com security advisory [07-02]
Discovered by nnp

Discovered : 1 August 2007
Reported to the vendor : 13 October 2007
Fixed by vendor : 21 October 2007

Vulnerability class : Remote format string

Affected product : mt-dappd/Firefly Media Server
Version : request_vars,"HTTP_USER",username);
ws_addarg(&pwsc->request_vars,"HTTP_PASSWD",password);


int ws_addarg(ARGLIST *root, char *key, char *fmt, ...) {
...
va_start(ap,fmt);
vsnprintf(value,sizeof(value),fmt,ap);
va_end(ap);


Proof of concept code : Yes


- --
http://www.smashthestack.org
http://www.unprotectedhex.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org

iD8DBQFHK8b8bP10WPHfgnQRAoYPAKCfzLo5QPxDKBbOI8Hl+hTnKS5OWACgoOmq
CM98n8wCZ3AVdi2/vVPhnzk=
=lrAq
-----END PGP SIGNATURE-----

Attachment: uph0703.py
Description: Binary data

[UPH-07-02]
UnprotectedHex.com security advisory [07-02]
Discovered by nnp

Discovered : 1 August 2007
Reported to the vendor : 13 October 2007
Fixed by vendor : 21 October 2007

Vulnerability class : Remote format string

Affected product : mt-dappd/Firefly Media Server
Version : <= 0.2.4
Product details:
www.fireflymediaserver.org/
'''
The purpose of this project is built the best server software to serve digital music to the Roku Soundbridge and iTunes; to be able to serve the widest variety of digital music content over the widest range of devices
'''

File/Function/line : webserver.c/ws_dispatcher,ws_addarg/916-920,1171

Cause: This is a vsnprintf() related format string bug. The ws_addarg function uses its third argument as the format specifier and in this case this is user controlled as it is the decoded username from the Authorization field of the request header. The call to ws_addarg takes place pre auth so any format string should be possible. There is no restriction on the length of the format string either. The password field would also suffice as a location for the fmt string. This vulnerability could be used to execute arbitrary code on the affected system.

ws_decodepassword(auth,&username,&password);
if(auth_handler(username,password))
can_dispatch=1;
ws_addarg(&pwsc->request_vars,"HTTP_USER",username);
ws_addarg(&pwsc->request_vars,"HTTP_PASSWD",password);

int ws_addarg(ARGLIST *root, char *key, char *fmt, ...) {
...
va_start(ap,fmt);
vsnprintf(value,sizeof(value),fmt,ap);
va_end(ap);

Proof of concept code : Yes


Relevant Pages

  • [UPH-07-01] Firefly Media Server DoS
    ... UnprotectedHex.com security advisory ... Discovered by nnp ... Reported to the vendor: 13 October 2007 ... Affected product: mt-dappd/Firefly Media Server ...
    (Bugtraq)
  • [NT] JRun Source Code Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... (i.e. by appending a unicoded NULL to the valid request string, ... Vendor Response: ... vendor released a cumulative patch for JRun that includes the patch for ...
    (Securiteam)
  • [INTREST SEC] Atlassian Confluence Wiki XSS Vulnerability
    ... Atlassian Confluence is described as "Collaboration tool for teams to ... Cross-Site-Scripting (XSS). ... According to the vendor, upgrade to Confluence 4.1.9 or later. ... Atlassian Security Advisory ...
    (Bugtraq)
  • [Full-disclosure] PIRS2007 local buffer overflow vulnerability
    ... TeamIntell discovered local buffer overflow vulnerability in PIRS2007 (data collection of companies and active business subjects in Slovenia). ... Please see the attached security advisory for details. ... Vendor has released a patch that solves this issue. ...
    (Full-Disclosure)
  • [Full-disclosure] [UPH-07-03] Firefly Media Server remote format string vulnerability
    ... UnprotectedHex.com security advisory ... Discovered by nnp ... Reported to the vendor: 13 October 2007 ... Affected product: mt-dappd/Firefly Media Server ...
    (Full-Disclosure)