[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2012-4750] Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [CVE-2012-4750] Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability
From: lorenzo.cantoni86@xxxxxxxxx
Date: Sat, 13 Oct 2012 10:04:07 GMT

[Title]:
Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability

[Description]:
EzServer is a software for audio and video streaming adopted by various 
companies worldwide. Version 7.0 is  affected by a remote heap corruption 
vulnerability. Version 6.x is not affected by this issue, as does not implement 
RTMP support.

[Affected Software]:
http://www.ezhometech.com/ezserver.htm


[Credits]:
Lorenzo Cantoni

[CVE]:
CVE-2012-4750

[CVSS]:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

[Impact]:
A remote unauthenticated attacker can DoS the application. Remote Command 
Execution could be possible, however an exploit has yet to be developed.


[Details]:
The vulnerability is caused by the following lines of code:

.text:00474533                 cmp     [ebp-33A0], 80h
.text:0047453D                 jle     short loc_47458E
.text:0047453F                 mov     eax, [ebp-33A0h]
.text:00474545                 sub     eax, 80h
.text:0047454A                 push    eax             ; Size
.text:0047454B                 mov     ecx, [ebp-33CCh]
.text:00474551                 add     ecx, 81h
.text:00474557                 push    ecx             ; Src
.text:00474558                 mov     edx, [ebp-33CCh]
.text:0047455E                 add     edx, 80h
.text:00474564                 push    edx             ; Dst
.text:00474565                 call    _memcpy_0

The application pass to memcpy() an uncontrolled size, which is directly taken 
from the AMF request in the RTMP packet.After have successfully completed the 
RTMP handshake, an attacker can send a malformed AMF request embedded in the 
RTMP session, with an high value for the 'size' field (2 bytes, such as 0xFFFF) 
and a lower-sized 'string' (such as 'connect'). This result in a heap 
corruption and a crash for the application.

[Fix]:
Support for the RTMP protocol appears disabled (but not fully removed) in 
version 7.1. However there is no official response from the vendor (see 
disclosure).

[Proof of Concept code]:
http://pastebin.com/k05djr6C

[Disclosure]:
09/09/2012: Vendor contacted.
07/10/2012: No response. Sent another mail.
13/10/2012: Still no response. Disclosure.

Prev by Date: [ MDVSA-2012:167 ] firefox
Next by Date: Re: VLC Player 2.0.3 <= ReadAV Arbitrary Code Execution (Update)
Previous by thread: [ MDVSA-2012:167 ] firefox
Next by thread: SilverStripe CMS 2.4.7 <= Arbitrary URL Redirection
Index(es):
- Date
- Thread