Product: SHOUTcast v1.9.4 (and older?) Vendor: http://www.shoutcast.com Vuln: Remote format string BugFinder: Tomasz Trojanowski (onestep) Author: Damian Put <pucik cc-team org> www.CC-Team.org Date: Dec 23, 2004 1. BACKGROUND "SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio system. Thousands of broadcasters around the world are waiting for you to tune in and listen" 2. DESCRIPTION Remote exploitation of a format string vulnerability could allow execution of arbitrary code. A part of request, which was sent by attacker to server, would be included in second arg of sprintf() function (0x0804adc3 in linux binary). It is obviously not good from a security viewpoint. We can crash SHOUTcast in a very easy way, using following request: http://host:8000/content/%n.mp3 Or reach remote shell thanks to attached exploit`s code. 3. CREDIT Special thanks: Tomasz Trojanowski for information about vulnerability 4. EXPLOIT *** SEE URL ***
Chris White, please verify/advise.
*** Bug 75695 has been marked as a duplicate of this bug. ***
Ugh, I checked the forum and there's a link to the exact same exploit announcement. Seems nullsoft is taking the clueless route or something. I've package.mask'ed this accordingly.
Do we need a masking GLSA for this one?
I would say yes. If there is an remote exec exploit out there and upstream doesn't care, users should be warned against it.
A masking GLSA will be issued.
- - - We're pleased to announce the immediate release of SHOUTcast DNAS 1.9.5. This release corrects a buffer overflow when parsing requests, which could cause the SHOUTcast process to crash and potentially allow remote access to the host it was running on. We STRONGLY URGE you to upgrade to 1.9.5 ASAP. - - - ChrisWhite, please bump/unmask.
Marked on my side. AMD64 needs marking though. Once that's done I'll unmask.
stable amd64... ready for GLSA
Changing to GLSA status. Chris, please unmask package.
GLSA 200501-04