Bug#841224: MediaTomb Multiple Remote Vulnerabilities

James Cowgill jcowgill at debian.org
Tue Oct 18 16:51:00 UTC 2016 

Control: severity -1 grave
Control: tags -1 security
Control: retitle -1 mediatomb: libupnp vulnerabilities CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2016-6255
Control: found -1 0.12.1-4

On 18/10/16 17:17, Brian Martin wrote:
> Package: mediatomb
> Version: 0.12.1-47

This version does not exist, I have marked it as found in 0.12.1-4
(pre-wheezy) as a conservative guess.

> This was discovered on Ubuntu and reported to them. Ubuntu replied that
> the package is inherited from Debian "which means it isn't supported by
> the Ubuntu Security Team."

The reason it's not supported in Ubuntu is because it's in the
"universe" repository which does not get security support (not that it
comes from Debian).

> While testing a new NASL detection script, we found it was causing a
> crash in MediaTomb. Specifically, there is a NULL pointer dereference at
> in the function check_soap_body() in soap_device.c (line 470). We went
> to see if this had been patched in libupnp and found that it had been
> patched eight years ago
> (https://sourceforge.net/p/pupnp/code/ci/2c094ee8ea01259967f82513296b031f718603fd/).
> 
> 
> Given that MediaTomb is still being distributed by Ubuntu and more than
> 1,000 instances are visible via Shodan
> (https://www.shodan.io/search?query=MediaTomb), we will make a
> best-effort to quickly flag some of the vulnerabilities that we know
> have been fixed in libupnp and still exist in MediaTomb. All of the
> below have been tested on Ubuntu 16.04 x64 Desktop using mediatomb-dbg.
> We believe them to be vulnerable in Debian 8.6 (jesse) as well.
> 
> CVE-2012-5958, CVE-2012-5959, CVE-2012-5960
[...]
> CVE-2016-6255
> 
> This allows a remote unauthenticated attacker create arbitrary files in
> the WebRoot simply by sending an HTTP POST request. Note that Ubuntu's
> mediatomb installation must have write permission to the WebRoot
> directory. This issue has been patched by c91a8a3
> (https://sourceforge.net/p/pupnp/code/ci/c91a8a3903367e1163765b73eb4d43be7d7927fa/)
> and 66e43a2
> (https://sourceforge.net/p/pupnp/code/ci/66e43a28d27fee95d270d2b8106d8a099c14f334/).
> We wrote a PoC cleverly called "cve-2016-6255.py" that when used like so:
> 
> $ ./cve-2016-6255.py http://192.168.1.217:49153/danger_zone

Apparently it is not possible to remove mediatomb's copy of libupnp due
to the number of changes and those changes cannot be upstreamed due to
licensing issues. This means the libupnp fixed will have to be patched
into mediatomb.

Unfortunately upstream has been fairly inactive over the last few years
so any fixes probably won't come from them :( 

Thanks for reporting!
James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161018/068da7c4/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list