####################################################################### Luigi Auriemma Application: Firefly Media Server (mt-daapd) http://www.fireflymediaserver.org Versions: <= 2.4.1 and SVN <= 1699 Platforms: *nix, Windows, Mac and others Bugs: A] partial directory traversal on Windows B] authentication bypass on Windows C] duplicated HTTP parameter Denial of Service D] CPU at 100% with partial queries Exploitation: remote Date: 03 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Firefly Media Server (aka mt-daapd) is an open source server for the DAAP protocol used by Roku SoundBridge and iTunes. ####################################################################### ======= 2) Bugs ======= ----------------------------------------- A] partial directory traversal on Windows ----------------------------------------- Using 3 dots in the HTTP query is possible to get a specific file in the parent directory of the Firefly admin-root folder. That means that an attacker can download the mt-daapd.conf file which contains all the configuration of the server or other files like firefly.log and so on. If the server is protected by password is enough to use the bug B below which allows any external unauthenticated attacker to download these files (in short GET /.../mt-daapd.conf works only if no password is set, otherwise you must use GET .../mt-daapd.conf or the other methods explained there). In my tests was possible to go down only of one directory, that's why I consider it "partial". This problem is exploitable only versus Windows servers. ----------------------------------- B] authentication bypass on Windows ----------------------------------- The usage of a dot '.' or a backslash '\' before the URI (at the place of the usual /) or just nothing (GET file.txt HTTP/1.0) allows any unauthenticated attacker to download the files from the admin-root folder in case the server is protected by password. Although the admin-root folder doesn't contain sensitive informations it can become very dangerous if used with bug A as written above. Note that the trick works only for the "real" files and not for the special ones like xml-rpc and the DAAP commands. This problem is exploitable only versus Windows servers. ---------------------------------------------- C] duplicated HTTP parameter Denial of Service ---------------------------------------------- It's possible to terminate the server remotely simply using two or more HTTP parameters with the same name (like two Host or User-Agent or just any other string). ----------------------------------- D] CPU at 100% with partial queries ----------------------------------- Not really dangerous as the above bugs anyway the server's CPU goes to 100% while receiving the queries, which means that anyone can just connect to it sending only the first line (GET / HTTP/1.0) to cause this effect which will continue forever also when the attacker disconnects from it. ####################################################################### =========== 3) The Code =========== Example queries to send with netcat: http://aluigi.org/poc/fireflyz.zip nc localhost 9999 -v -v < file.txt ####################################################################### ====== 4) Fix ====== The bugs will be fixed in the next versions. #######################################################################