Processed: Re: Bug#841224: MediaTomb Multiple Remote Vulnerabilities

2016-10-18 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 grave
Bug #841224 [mediatomb] MediaTomb Multiple Remote Vulnerabilities
Severity set to 'grave' from 'critical'
> tags -1 security
Bug #841224 [mediatomb] MediaTomb Multiple Remote Vulnerabilities
Added tag(s) security.
> retitle -1 mediatomb: libupnp vulnerabilities CVE-2012-5958, CVE-2012-5959, 
> CVE-2012-5960, CVE-2016-6255
Bug #841224 [mediatomb] MediaTomb Multiple Remote Vulnerabilities
Changed Bug title to 'mediatomb: libupnp vulnerabilities CVE-2012-5958, 
CVE-2012-5959, CVE-2012-5960, CVE-2016-6255' from 'MediaTomb Multiple Remote 
Vulnerabilities'.
> found -1 0.12.1-4
Bug #841224 [mediatomb] mediatomb: libupnp vulnerabilities CVE-2012-5958, 
CVE-2012-5959, CVE-2012-5960, CVE-2016-6255
Marked as found in versions mediatomb/0.12.1-4.

-- 
841224: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841224
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#841224: MediaTomb Multiple Remote Vulnerabilities

2016-10-18 Thread James Cowgill 
Control: severity -1 grave
Control: tags -1 security
Control: retitle -1 mediatomb: libupnp vulnerabilities CVE-2012-5958, 
CVE-2012-5959, CVE-2012-5960, CVE-2016-6255
Control: found -1 0.12.1-4

On 18/10/16 17:17, Brian Martin wrote:
> Package: mediatomb
> Version: 0.12.1-47

This version does not exist, I have marked it as found in 0.12.1-4
(pre-wheezy) as a conservative guess.

> This was discovered on Ubuntu and reported to them. Ubuntu replied that
> the package is inherited from Debian "which means it isn't supported by
> the Ubuntu Security Team."

The reason it's not supported in Ubuntu is because it's in the
"universe" repository which does not get security support (not that it
comes from Debian).

> While testing a new NASL detection script, we found it was causing a
> crash in MediaTomb. Specifically, there is a NULL pointer dereference at
> in the function check_soap_body() in soap_device.c (line 470). We went
> to see if this had been patched in libupnp and found that it had been
> patched eight years ago
> (https://sourceforge.net/p/pupnp/code/ci/2c094ee8ea01259967f82513296b031f718603fd/).
> 
> 
> Given that MediaTomb is still being distributed by Ubuntu and more than
> 1,000 instances are visible via Shodan
> (https://www.shodan.io/search?query=MediaTomb), we will make a
> best-effort to quickly flag some of the vulnerabilities that we know
> have been fixed in libupnp and still exist in MediaTomb. All of the
> below have been tested on Ubuntu 16.04 x64 Desktop using mediatomb-dbg.
> We believe them to be vulnerable in Debian 8.6 (jesse) as well.
> 
> CVE-2012-5958, CVE-2012-5959, CVE-2012-5960
[...]
> CVE-2016-6255
> 
> This allows a remote unauthenticated attacker create arbitrary files in
> the WebRoot simply by sending an HTTP POST request. Note that Ubuntu's
> mediatomb installation must have write permission to the WebRoot
> directory. This issue has been patched by c91a8a3
> (https://sourceforge.net/p/pupnp/code/ci/c91a8a3903367e1163765b73eb4d43be7d7927fa/)
> and 66e43a2
> (https://sourceforge.net/p/pupnp/code/ci/66e43a28d27fee95d270d2b8106d8a099c14f334/).
> We wrote a PoC cleverly called "cve-2016-6255.py" that when used like so:
> 
> $ ./cve-2016-6255.py http://192.168.1.217:49153/danger_zone

Apparently it is not possible to remove mediatomb's copy of libupnp due
to the number of changes and those changes cannot be upstreamed due to
licensing issues. This means the libupnp fixed will have to be patched
into mediatomb.

Unfortunately upstream has been fairly inactive over the last few years
so any fixes probably won't come from them :( 

Thanks for reporting!
James



signature.asc
Description: OpenPGP digital signature

Bug#841224: MediaTomb Multiple Remote Vulnerabilities

2016-10-18 Thread Brian Martin 
Package: mediatomb
Version: 0.12.1-47
Severity: critical


This was discovered on Ubuntu and reported to them. Ubuntu replied that
the package is inherited from Debian "which means it isn't supported by
the Ubuntu Security Team." We notified secur...@debian.org who suggested
we open a ticket. If any of our PoCs are required, we will share via
email with Debian or any other Linux vendor impacted, but not make them
public in a tracker.

--

While testing a new NASL detection script, we found it was causing a
crash in MediaTomb. Specifically, there is a NULL pointer dereference at
in the function check_soap_body() in soap_device.c (line 470). We went
to see if this had been patched in libupnp and found that it had been
patched eight years ago
(https://sourceforge.net/p/pupnp/code/ci/2c094ee8ea01259967f82513296b031f718603fd/).


Given that MediaTomb is still being distributed by Ubuntu and more than
1,000 instances are visible via Shodan
(https://www.shodan.io/search?query=MediaTomb), we will make a
best-effort to quickly flag some of the vulnerabilities that we know
have been fixed in libupnp and still exist in MediaTomb. All of the
below have been tested on Ubuntu 16.04 x64 Desktop using mediatomb-dbg.
We believe them to be vulnerable in Debian 8.6 (jesse) as well.

CVE-2012-5958, CVE-2012-5959, CVE-2012-5960

Humorously? Fedora actually has this in their bug tracker for MediaTomb
along with the other 2012 stack overflows, all unfixed
(https://bugzilla.redhat.com/show_bug.cgi?id=906045), despite an
upstream patch being available
(https://sourceforge.net/p/pupnp/code/ci/2bb79879b77dd215a26c92d1348adf2ae406dfd8/).

We've written a PoC cleverly named "cve-2012-5958.py" that triggers the
issue, producing the following stack trace:

(gdb) bt
#0  0x74ec9418 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1  0x74ecb01a in __GI_abort () at abort.c:89
#2  0x74f0b72a in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x75022c7f "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:175
#3  0x74fac89c in __GI___fortify_fail (msg=,
msg@entry=0x75022c10 "buffer overflow detected") at fortify_fail.c:37
#4  0x74faa8a0 in __GI___chk_fail () at chk_fail.c:28
#5  0x74fa9d49 in __strncpy_chk (s1=,
s2=, n=, s1len=) at
strncpy_chk.c:26
#6  0x0052110a in strncpy (__len=421, __src=,
__dest=0x7fffdf7fd590 "4") at
/usr/include/x86_64-linux-gnu/bits/string3.h:126
#7  unique_service_name (cmd=cmd@entry=0x7fffd0001280
"ssdp:uuid:schemas:device:", 'a' ...,
Evt=Evt@entry=0x7fffdf7fd770) at ../upnp/src/ssdp/ssdp_server.c:532
#8  0x00521392 in ssdp_request_type (cmd=0x7fffd0001280
"ssdp:uuid:schemas:device:", 'a' ...,
Evt=Evt@entry=0x7fffdf7fd770) at ../upnp/src/ssdp/ssdp_server.c:634
#9  0x00524e0a in ssdp_handle_device_request
(hmsg=hmsg@entry=0x7fffd80008c0,
dest_addr=dest_addr@entry=0x7fffd8000a38) at
../upnp/src/ssdp/ssdp_device.c:157
#10 0x005209cd in ssdp_event_handler_thread
(the_data=0x7fffd80008c0) at ../upnp/src/ssdp/ssdp_server.c:797
#11 0x00523373 in WorkerThread (arg=0x798d00 )
at ../threadutil/src/ThreadPool.c:594
#12 0x770d76fa in start_thread (arg=0x7fffdf7fe700) at
pthread_create.c:333
#13 0x74f9ab5d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109

We’ve also written a PoC named "cve-2012-5959.py" (consistency is key)
that triggers the issue, producing the following stack trace:

(gdb) bt
#0  0x74ec9418 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1  0x74ecb01a in __GI_abort () at abort.c:89
#2  0x74f0b72a in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x75022c7f "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:175
#3  0x74fac89c in __GI___fortify_fail (msg=,
msg@entry=0x75022c10 "buffer overflow detected") at fortify_fail.c:37
#4  0x74faa8a0 in __GI___chk_fail () at chk_fail.c:28
#5  0x74fa9d49 in __strncpy_chk (s1=,
s2=, n=, s1len=) at
strncpy_chk.c:26
#6  0x005211a1 in strncpy (__len=404, __src=0x7fffb4001190
"uuid:", 'a' ..., __dest=0x7fffbfffe784 "") at
/usr/include/x86_64-linux-gnu/bits/string3.h:126
#7  unique_service_name (cmd=cmd@entry=0x7fffb4001190 "uuid:", 'a'
..., Evt=Evt@entry=0x7fffbfffe770) at
../upnp/src/ssdp/ssdp_server.c:544
#8  0x00521392 in ssdp_request_type (cmd=0x7fffb4001190 "uuid:",
'a' ..., Evt=Evt@entry=0x7fffbfffe770) at
../upnp/src/ssdp/ssdp_server.c:634
#9  0x00524e0a in ssdp_handle_device_request
(hmsg=hmsg@entry=0x7fffd80011a0,
dest_addr=dest_addr@entry=0x7fffd8001318) at
../upnp/src/ssdp/ssdp_device.c:157
#10 0x005209cd in ssdp_event_handler_thread
(the_data=0x7fffd80011a0) at ../upnp/src/ssdp/ssdp_server.c:797
#11 0x00523373 in WorkerThread (arg=0x798d00 )
at ../threadutil/src/ThreadPool.c:594
#12 0x770d76fa in start_thread (arg=0x7fffb700) at
pthread_create.c: