Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities

Critical

Synopsis

MediaTomb is an open source UPnP MediaServer. For various reasons, MediaTomb has seen wide deployment over the years. However, the project appears to have been abandoned by the creators as the primary website hasn’t seen an update since 2010 and the SorceForge SVN repository hasn’t seen a commit since 2014. However, that has not slowed the apparent love and integration of MediaTomb. The SourceForge page claims over 200 downloads this week, the discussion forums have been written to fairly recently, and Stack Overflow still gets questions.

This is probably because Ubuntu has continued offering it as a package. However, they haven’t done a lot to the code themselves it appears, even though open bugs exists. For the purposes of this write up, we will be referring to the Ubuntu package since they appear to be hosting/distributing more than anyone else. That said, other Linux distributions may have their own forks of MediaTomb and be vulnerable to the same issues below, such as Debian as we later confirmed.

About the MediaTomb Code

Anyone that has had the distinct displeasure of reading the Portable Universal Plug and Play SDK (libupnp) source code would immediately recognize that MediaTomb is built on a fork of libupnp. Indeed, some quick investigation into this confirmed that MediaTomb uses their own libUPnP with "various custom patches and extensions". Notice, that the Fedora mediatomb package maintainer even links to a libupnp CERT VU. We can only assume that libupnp vulnerabilities don’t apply, right?

While testing a new NASL detection script, we found it was causing a crash in MediaTomb. Specifically, there is a NULL pointer dereference at in the function check_soap_body() in soap_device.c (line 470). We went to see if this had been patched in libupnp and found that it had been patched eight years ago.

Given that MediaTomb is still being distributed by Ubuntu and more than 1,000 instances are visible via Shodan, we will make a best-effort to quickly flag some of the vulnerabilities that we know have been fixed in libupnp and still exist in MediaTomb. All of the below have been tested on Ubuntu 16.04 x64 Desktop using mediatomb-dbg.

Fedora actually has this in their bug tracker for MediaTomb along with the other 2012 stack overflows, all unfixed, despite an upstream patch being available.

We've written a PoC cleverly named "cve-2012-5958.py" that triggers the issue, producing the following stack trace:


(gdb) bt
#0  0x00007ffff4ec9418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff4ecb01a in __GI_abort () at abort.c:89
#2  0x00007ffff4f0b72a in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff5022c7f "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff4fac89c in __GI___fortify_fail (msg=, msg@entry=0x7ffff5022c10 "buffer overflow detected") at fortify_fail.c:37
#4  0x00007ffff4faa8a0 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff4fa9d49 in __strncpy_chk (s1=, s2=, n=, s1len=) at strncpy_chk.c:26
#6  0x000000000052110a in strncpy (__len=421, __src=, __dest=0x7fffdf7fd590 "4") at /usr/include/x86_64-linux-gnu/bits/string3.h:126
#7  unique_service_name (cmd=cmd@entry=0x7fffd0001280 "ssdp:uuid:schemas:device:", 'a' ..., Evt=Evt@entry=0x7fffdf7fd770) at ../upnp/src/ssdp/ssdp_server.c:532
#8  0x0000000000521392 in ssdp_request_type (cmd=0x7fffd0001280 "ssdp:uuid:schemas:device:", 'a' ..., Evt=Evt@entry=0x7fffdf7fd770) at ../upnp/src/ssdp/ssdp_server.c:634
#9  0x0000000000524e0a in ssdp_handle_device_request (hmsg=hmsg@entry=0x7fffd80008c0, dest_addr=dest_addr@entry=0x7fffd8000a38) at ../upnp/src/ssdp/ssdp_device.c:157
#10 0x00000000005209cd in ssdp_event_handler_thread (the_data=0x7fffd80008c0) at ../upnp/src/ssdp/ssdp_server.c:797
#11 0x0000000000523373 in WorkerThread (arg=0x798d00 ) at ../threadutil/src/ThreadPool.c:594
#12 0x00007ffff70d76fa in start_thread (arg=0x7fffdf7fe700) at pthread_create.c:333
#13 0x00007ffff4f9ab5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

We’ve also written a PoC named "cve-2012-5959.py" (consistency is key) that triggers the issue, producing a different stack trace.

Bug 1948586

A null pointer dereference can be triggered via an HTTP POST with malformed SOAP data, with an upstream patch available. We wrote a PoC cleverly named "bug_1948586.py" that triggers the issue in MediaTomb. Note that the old SourceForge bug tracker that used 7-digit IDs was deprecated, and it does not appear that those tickets were preserved, at least not publicly. As such, we only have a commit that references the old bug ID, and the commit details itself.

Bug 133 (no CVE)

A heap overflow can be triggered when providing specifically crafted callback parameters. Currently, there does not seem to be a patch for this issue. We wrote a PoC cleverly named "bug_133.py" that triggers the issue in MediaTomb to demonstrate the issue.

CVE-2016-6255

This allows a remote unauthenticated attacker create arbitrary files in the WebRoot simply by sending an HTTP POST request. Note that Ubuntu's mediatomb installation must have write permission to the WebRoot directory. This issue has been patched by commit c91a8a3 and 66e43a2. We wrote a PoC cleverly named "barking_aardvark.py" that when used like so:

$ ./barking_aardvark.py http://192.168.1.217:49153/danger_zone

Will result in a file being created. This can be seen in the default Ubuntu install, with the following sorcery:


albino-lobster@ubuntu:~ $ cat /usr/share/mediatomb/web/danger_zone 
Better call Kenny Loggins
albino-lobster@ubuntu:~ $

Solution

See the details above which link to fixing commits where applicable. Since this is a third-party library used within a fork of mediatomb and impacts multiple Linux distributions, it is up to each one to resolve the issues in their installation. In the meantime, restrict access to the mediatomb server.

Proof of Concept

That's a negative Ghost Rider.

Disclosure Timeline

2016-09-27 - Issue discovered
2016-10-04 - Advisory drafted
2016-10-04 - Ubuntu notified via [email protected]
2016-10-05 - Ubuntu replies, package is inherited from Debian "which means it isn't supported by the Ubuntu Security Team."
2016-10-05 - Debian notified via [email protected]
2016-10-05 - Debian replies, "mediatomb is not part of Debian stable". Recommends filing public bug ticket.
2016-10-17 - Tenable figures out what package and version it is on Debian
2016-10-18 - Issue reported to Debian tracker via email, #841224 opened
2016-10-18 - Debian touches up report, provides a bit of preliminary feedback
2016-12-09 - Uwe Kleine-König notes it is also vulnerable to CVE-2016-8863
2017-03-13 - Tenable releases advisory since all information public via Debian

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2017-10
Credit:
Jacob Baines, Tenable Network Security
CVSSv2 Base / Temporal Score:
10.0 / 8.3
CVSSv2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Affected Products:
Ubuntu 16.04 mediatomb 0.12.2 (installed via apt-get)
Debian 8.6 (aka "jessie") mediatomb 0.12.1-47
Risk Factor:
Critical

Advisory Timeline

2017-03-13 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training