CVE-2022-28480

Vulnerability

ALLMediaServer version 1.6 is affected by a stack buffer overflow vulnerability in MediaServer.exe. The flaw resides in how the application processes specially crafted data sent to the service, and it can be triggered by sending a large payload (over 6000 bytes) without requiring authentication or prior configuration changes [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted TCP or UDP packet to the listening MediaServer.exe process. The attacker only needs network connectivity to the target server and does not need valid credentials. By overwriting the stack return address, the attacker can redirect execution to attacker-controlled data, which may lead to arbitrary code execution [1].

Impact

Successful exploitation allows an attacker to crash the service (denial of service) or execute arbitrary code on the target system. In the best case, the attacker gains code execution in the context of the MediaServer.exe process, which can lead to full compromise of the media server host [1].

Mitigation

As of the publication date of the advisory (April 2022), no official patch or updated version has been released by ALLPlayerGroup. Users are advised to restrict network access to the media server to trusted hosts only, or to disable the service if not required. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing [1].