Search | Research | Contact Us Tuesday October 10, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
Multiple Vulnerabilities In EmuLive Server4
September 20, 2021
Vendor : Emulive Imaging Corporation
URL : http://www.emulive.com
Version : EmuLive Server4 Commerce Edition Build 7560
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/11226


Description:
Server4 is real-time media broadcasting software that works in conjunction with Emulive producer software to create digital television-like channels on the Internet. To web browsers, Server4 appears as a standard web server. Visitors to a Server4 system can browse and view available channels, chat with other users, remotely control cameras, remotely control devices, create user accounts, extend user accounts, purchase time and access controlled subscriptions, purchase one-to-one exclusive conferences, tip channel hosts, purchase additional time and much much more.

Unauthorized Admin Access:
EmuLive Server4, like a lot of software comes with built in remote administration features. The administration console in Server4 lets server admins manage such data as their live statistics, affiliate management, and eCommerce reports. This however can easily be accessed by an attacker by requesting the following url

http://localhost//PUBLIC/ADMIN/INDEX.HTM

notice the "//" after the host info. Normally when an admin successfully logs in, there is a long session ID in between those two slashes. So, we can now do anything an admin can by using a little slash ;) Another interesting thing about this particular issue, is after I requested an admin page from a remote machine with a null session id, it gave me the legitimate session credentials that were gained on another machine, automatically!

Remote Server Crash:
EmuLive Server4 is a very nice multimedia broadcasting application. One very useful feature is that it allows remote connections for production software on tcp port 66. This is meant for EmuLive Producer, which is a audio/video encoder software product that works in conjunction with server4 to create Interactive digital television-like channels on the Internet. There lies a flaw in the way Server4 handles the connections made to this port. For example, an attacker can input a quick sequence of eight or more sets of carriage returns and crash the server hard. In the tests that I did it froze up my WinXP Pro machine so bad that I was forced to press the reset button as it was the only thing that worked. I am not sure if this issue is remotely exploitable for any thing other than killing the server, as my machine died immediately after the death packet was sent, so I could not read any error messages or responses.

Solution:
Vendors were notified and an update should be available soon.


Proof Of Concept:
http://www.gulftech.org/downloads/?file_id=00021


Credits:
James Bercegay of the GulfTech Security Research Team