FireFly Mediaserver version 1.0.0.1359 suffers from a denial of service vulnerability that can be triggered by a NULL pointer dereference.
32f710929128a837905de7371632750aecfb1f0c76e6463bedec86ca624602c7This Metasploit module exploits a stack buffer overflow in ALLMediaServer version 1.6. The vulnerability is caused due to a boundary error within the handling of HTTP request.
ec5996d7542530d1bdb600e24891e2ffa7033a9c24319db14a34043fa0b9fec3ALLMediaServer version 1.6 suffers from a remote buffer overflow vulnerability.
4084eb5abda1f08d8c0f81af318bc5e5994b8c1afcb57575e2b6590a4bd525bdiOS suffers from a sandbox escape vulnerability due to an integer overflow in mediaserverd.
2b4a9f24dc9fb9fa02db02c8a4e93a710241e3d12f49d9ae097344a6df912908Firefly CMS version 1.0 suffers from a remote command execution vulnerability.
a9a65d0388e6422de5a7d34358d848998ed90475e92ac36d17d9dd37306de49eALLMediaServer version 0.95 stack buffer overflow exploit with DEP bypass on Windows 7 x64.
b32e6037a31b7fad537466c0749084442cb4b6e30ae14d2312537291ebb2d01fThis Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.95. The vulnerability is caused due to a boundary error within the handling of HTTP request.
0aeb690c29587f9a0c63a6668b87a74d40a7e016b5c7c1bd296f108aa1a7986dALLPlayer ALLMediaServer versions 0.95 and below suffer from a buffer overflow vulnerability.
7beeec87d60642363ea3f4cc1b85be925f9972466a5f66117c32bef9c55c5d5dDuring EBML node parsing the EBML element_size is used unvalidated to allocate a stack buffer to store the element contents. Since calls to alloca simply compile to a subtraction from the current stack pointer, for large sizes this can result in memory corruption and potential remote-code-execution in the mediaserver process. Tested on an LG-G4 with firmware MRA58K.
fead583452cca3b0aff0b1e5d1c60e83a1131d969e79b214c620dd57f7a19180Emby MediaServer version 3.2.5 suffers from a directory traversal vulnerability that allows for arbitrary file disclosure.
fa223b923ceaad85f3f4ca5cce4208878ae02295ea4e03a6bbab3643e2829316Emby MediaServer version 3.2.5 suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the URL path filename when handling 'not found' errors. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
413c8dd70f63ee4e8e53a5a298b2725274507fae9766167efcdfb6194cb86cacEmby MediaServer version 3.2.5 suffers from a password reset vulnerability.
cd55b21a8347fa5960e9af67ccc648634aed53ed1e1e824ff18218bbc68ccdbeEmby MediaServer version 3.2.5 suffers from a blind SQL injection vulnerability. Input passed via the GET parameter 'MediaTypes' is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
5df7706831464ac9c7dd4014af6d54f5c2117a394cca94b6bb14e121d7842598This Metasploit module exploits a integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode.
1a90f98f06bcb60d18f94ddf7062901f68d339cc68bbdab75711aaafaeffc5d2The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflows a static global buffer.
faf34e337128765e7e7cd244e5054952422e46472fdd20baad4de151245624d7ALLMediaServer version 0.95 SEH overflow exploit written for Windows XP SP3 English.
6a32e2b5a9cef7acb98ca8556873790ab22dd7c02943f2ccb18e7cafcf458abcThis Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.95. The vulnerability is caused due to a boundary error within the handling of HTTP request.
d6a069e8edf6437387fecef101b6b1c5a7d671893848ff872fbebb2b7b615c11ALLMediaServer version 0.95 SEH overflow exploit written for Windows 7 German.
f54af71371112fc674b417f9ec24af93d58fb527474b125641029fc8ffe667fdWowzaMediaServer allows for direct getting and setting of properties which in turn can enable an attacker the ability to mount further attacks.
02061d65ffca3d12c102fcd83b76a8c46f938d8fefea6e170cb8ce387b7c0c9dWowzaMediaServer suffers from a bypass vulnerability that allows for accessing of files outside of the allowed StorageDir directory.
f4564e946705fc60d5c17b51bebbe0c644dbb60355ce85b64a936c75bbf48ae6This Metasploit module exploits a stack buffer overflow in ALLMediaServer version 0.94. The vulnerability is caused due to a boundary error within the handling of an HTTP request.
9e10375f11d2160bc7bb76256fee52ef258402ea5c166bf2a4a74b2a8c0132a5ALLMediaServer version 0.94 SEH overflow exploit that spawns calc.exe.
581d11bf437584999c610e53bfc9f899cf4e9ab8f2b4079740da0b9dff03d908This Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.
cd224eb091bd83cac2f6867238fdeea0e253250295ed9b0257c0173e71de0311Secunia Security Advisory - A vulnerability has been discovered in ALLMediaServer, which can be exploited by malicious people to compromise a vulnerable system.
2d15928ca02a9e147baeb55fdf36818b8905cedb789ecfdf98da1ca1e2e82734Firefly media Server (mt-daapd) versions 2.4.1 and below and SVN versions 1699 and below proof of concept exploit that demonstrates multiple vulnerabilities.
06ea0019b5ce59af46c80a88b7028f72b55a6faa4da174cf5eebb51ee8cf5b9fFirefly media Server (mt-daapd) versions 2.4.1 and below and SVN versions 1699 and below suffer from directory traversal, authentication bypass, and denial of service vulnerabilities.
adc2aa9ee5d0bef2c8025b8d7e63e5e285d75f05c485f76f4463b9283f0a66be
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed