[UPH-07-03] Firefly Media Server remote format string vulnerability

[UPH-07-02]
UnprotectedHex.com security advisory [07-02]
Discovered by nnp

Discovered : 1 August 2007
Reported to the vendor : 13 October 2007
Fixed by vendor : 21 October 2007

Vulnerability class : Remote format string

Affected product : mt-dappd/Firefly Media Server
Version : <= 0.2.4
Product details:
www.fireflymediaserver.org/
'''
The purpose of this project is built the best server software to serve digital music to
the Roku Soundbridge and iTunes; to be able to serve the widest variety of digital music
content over the widest range of devices
'''

File/Function/line : webserver.c/ws_dispatcher,ws_addarg/916-920,1171

Cause: This is a vsnprintf() related format string bug. The ws_addarg function uses its
third argument as the format specifier and in this case this is user controlled as it is
the decoded username from the Authorization field of the request header. The call to
ws_addarg takes place pre auth so any format string should be possible. There is no
restriction on the length of the format string either. The password field would also
suffice as a location for the fmt string. This vulnerability could be used to execute
arbitrary code on the affected system.

ws_decodepassword(auth,&username,&password);
if(auth_handler(username,password))
    can_dispatch=1;
ws_addarg(&pwsc->request_vars,"HTTP_USER",username);
ws_addarg(&pwsc->request_vars,"HTTP_PASSWD",password);

int ws_addarg(ARGLIST *root, char *key, char *fmt, …) {
…
va_start(ap,fmt);
vsnprintf(value,sizeof(value),fmt,ap);
va_end(ap);

Proof of concept code : Yes