Multiple vulnerabilities in Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699
#######################################################################
Luigi Auriemma
Application: Firefly Media Server (mt-daapd)
http://www.fireflymediaserver.org
Versions: <= 2.4.1 and SVN <= 1699
Platforms: *nix, Windows, Mac and others
Bugs: A] partial directory traversal on Windows
B] authentication bypass on Windows
C] duplicated HTTP parameter Denial of Service
D] CPU at 100% with partial queries
Exploitation: remote
Date: 03 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Firefly Media Server (aka mt-daapd) is an open source server for the
DAAP protocol used by Roku SoundBridge and iTunes.
#######################################################################
=======
2) Bugs
=======
-----------------------------------------
A] partial directory traversal on Windows
-----------------------------------------
Using 3 dots in the HTTP query is possible to get a specific file in
the parent directory of the Firefly admin-root folder.
That means that an attacker can download the mt-daapd.conf file which
contains all the configuration of the server or other files like
firefly.log and so on.
If the server is protected by password is enough to use the bug B below
which allows any external unauthenticated attacker to download these
files (in short GET /.../mt-daapd.conf works only if no password is
set, otherwise you must use GET .../mt-daapd.conf or the other methods
explained there).
In my tests was possible to go down only of one directory, that's why I
consider it "partial".
This problem is exploitable only versus Windows servers.
-----------------------------------
B] authentication bypass on Windows
-----------------------------------
The usage of a dot '.' or a backslash '\' before the URI (at the place
of the usual /) or just nothing (GET file.txt HTTP/1.0) allows any
unauthenticated attacker to download the files from the admin-root
folder in case the server is protected by password.
Although the admin-root folder doesn't contain sensitive informations
it can become very dangerous if used with bug A as written above.
Note that the trick works only for the "real" files and not for the
special ones like xml-rpc and the DAAP commands.
This problem is exploitable only versus Windows servers.
----------------------------------------------
C] duplicated HTTP parameter Denial of Service
----------------------------------------------
It's possible to terminate the server remotely simply using two or more
HTTP parameters with the same name (like two Host or User-Agent or just
any other string).
-----------------------------------
D] CPU at 100% with partial queries
-----------------------------------
Not really dangerous as the above bugs anyway the server's CPU goes to
100% while receiving the queries, which means that anyone can just
connect to it sending only the first line (GET / HTTP/1.0) to cause
this effect which will continue forever also when the attacker
disconnects from it.
#######################################################################
===========
3) The Code
===========
Example queries to send with netcat:
http://aluigi.org/poc/fireflyz.zip
nc localhost 9999 -v -v < file.txt
#######################################################################
======
4) Fix
======
The bugs will be fixed in the next versions.
#######################################################################
---
Luigi Auriemma
http://aluigi.org