mailing list archives
[CVE-2012-4750] Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability
From: lorenzo.cantoni86 () gmail com
Date: Sat, 13 Oct 2012 10:04:07 GMT
Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability
EzServer is a software for audio and video streaming adopted by various companies worldwide. Version 7.0 is affected
by a remote heap corruption vulnerability. Version 6.x is not affected by this issue, as does not implement RTMP
A remote unauthenticated attacker can DoS the application. Remote Command Execution could be possible, however an
exploit has yet to be developed.
The vulnerability is caused by the following lines of code:
.text:00474533 cmp [ebp-33A0], 80h
.text:0047453D jle short loc_47458E
.text:0047453F mov eax, [ebp-33A0h]
.text:00474545 sub eax, 80h
.text:0047454A push eax ; Size
.text:0047454B mov ecx, [ebp-33CCh]
.text:00474551 add ecx, 81h
.text:00474557 push ecx ; Src
.text:00474558 mov edx, [ebp-33CCh]
.text:0047455E add edx, 80h
.text:00474564 push edx ; Dst
.text:00474565 call _memcpy_0
The application pass to memcpy() an uncontrolled size, which is directly taken from the AMF request in the RTMP
packet.After have successfully completed the RTMP handshake, an attacker can send a malformed AMF request embedded in
the RTMP session, with an high value for the 'size' field (2 bytes, such as 0xFFFF) and a lower-sized 'string' (such as
'connect'). This result in a heap corruption and a crash for the application.
Support for the RTMP protocol appears disabled (but not fully removed) in version 7.1. However there is no official
response from the vendor (see disclosure).
[Proof of Concept code]:
09/09/2012: Vendor contacted.
07/10/2012: No response. Sent another mail.
13/10/2012: Still no response. Disclosure.
- [CVE-2012-4750] Ezhometech EzServer 7.0 Remote Heap Corruption Vulnerability lorenzo . cantoni86 (Oct 15)