First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 75482
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Luke Macken (RETIRED) <lewk@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 75482 depends on: Show dependency tree
Bug 75482 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-12-23 14:21 0000 
Product:    SHOUTcast v1.9.4 (and older?)
Vendor:     http://www.shoutcast.com
Vuln:       Remote format string
BugFinder:  Tomasz Trojanowski (onestep)
Author:     Damian Put <pucik cc-team org> www.CC-Team.org
Date:       Dec 23, 2004


1. BACKGROUND

"SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio
system. Thousands of broadcasters around the world are waiting for you to
tune in and listen"


2. DESCRIPTION

Remote exploitation of a format string vulnerability could allow execution
of arbitrary code.

A part of request, which was sent by attacker to server, would be included
in second arg of sprintf() function (0x0804adc3 in linux binary). It is
obviously not good from a security viewpoint. We can crash SHOUTcast in a
very easy way, using following request:

http://host:8000/content/%n.mp3

Or reach remote shell thanks to attached exploit`s code.


3. CREDIT

Special thanks: 
Tomasz Trojanowski for information about vulnerability


4. EXPLOIT

*** SEE URL ***

------- Comment #1 From Luke Macken (RETIRED) 2004-12-23 14:23:14 0000 ------- 
Chris White, please verify/advise.

------- Comment #2 From Luke Macken (RETIRED) 2004-12-26 08:58:55 0000 ------- 
*** Bug 75695 has been marked as a duplicate of this bug. ***

------- Comment #3 From Chris White (RETIRED) 2004-12-26 21:26:24 0000 ------- 
Ugh, I checked the forum and there's a link to the exact same exploit
announcement.  Seems nullsoft is taking the clueless route or something.  I've
package.mask'ed this accordingly.

------- Comment #4 From Sune Kloppenborg Jeppesen 2004-12-26 22:54:16 0000 ------- 
Do we need a masking GLSA for this one?

------- Comment #5 From Thierry Carrez (RETIRED) 2004-12-27 09:54:52 0000 ------- 
I would say yes. If there is an remote exec exploit out there and upstream
doesn't care, users should be warned against it.

------- Comment #6 From Luke Macken (RETIRED) 2004-12-29 06:31:19 0000 ------- 
A masking GLSA will be issued.

------- Comment #7 From Luke Macken (RETIRED) 2005-01-03 07:31:07 0000 ------- 
- - -
We're pleased to announce the immediate release of SHOUTcast DNAS 1.9.5. This release corrects a buffer overflow when parsing requests, which could cause the SHOUTcast process to crash and potentially allow remote access to the host it was running on. We STRONGLY URGE you to upgrade to 1.9.5 ASAP.
- - -

ChrisWhite, please bump/unmask.

------- Comment #8 From Chris White (RETIRED) 2005-01-03 12:58:43 0000 ------- 
Marked on my side.  AMD64 needs marking though.  Once that's done I'll unmask.

------- Comment #9 From Jeremy Huddleston (RETIRED) 2005-01-04 04:50:37 0000 ------- 
stable amd64... ready for GLSA

------- Comment #10 From Luke Macken (RETIRED) 2005-01-04 05:38:56 0000 ------- 
Changing to GLSA status.  Chris, please unmask package.

------- Comment #11 From Luke Macken (RETIRED) 2005-01-05 07:27:47 0000 ------- 
GLSA 200501-04
First Last Prev Next    No search results available      Search page      Enter new bug