Nero MediaHome NMMediaServer.dll Long Request Line Off-By-One Overflow Vulnerability
21 Mar. 2013
Nero MediaHome contains an off-by-one overflow condition in the NMMediaServer.dll library. The issue is triggered as incoming HTTP requests containing overly long request lines are not properly validated. With a specially crafted HTTP request, a remote attacker can cause a single byte heap-based buffer overflow, resulting in a denial of service.
Upon startup of the Nero MediaHome 4 Service (NMMediaServerService.exe), a heap-based buffer of 8000h is initially allocated to receive data on the socket within NMMediaServer.dll. In case a larger request is received, a memory reallocation function is called to reallocate the buffer either immediately based on the required size or by a single page (whichever is the smaller) after which as much data is read in as possible. If receiving an overly long request, the reallocation function is called a number of times, incrementing the buffer in size by a page each time it's called and reading in more data. Eventually, when reaching a size of 21000h, a general request parsing function is called to start processing.
This parsing function splits the request into components as processing occurs. This is done by searching the request for specific, expected characters and character sequences. Each time a component is identified, a trailing NULL byte is added immediately after it, but without performing proper bounds checks. In cases when the initial part of the processed component is right at the end of the buffer, the NULL byte may be written just outside the bounds of the heap-based buffer (i.e. an off-by-one error). Such an off-by-one error can specifically be triggered when the initial request line is 135,168 or more bytes and may corrupt memory in a manner that eventually causes a crash.
It should be noted that the original report states that "a specially crafted HTTP request of at least 500'000 characters long" is required and that the cause is "improper handling of the URI length", resulting in a stack-based buffer overflow. Based on analysis performed by Risk Based Security, these claims are invalid. Any request containing 135,168 bytes or more in the first request line may trigger this off-by-one vulnerability in heap space.
Disclosure Date :2013-01-09
Vendor Informed Date :2012-11-21