Product: SHOUTcast v1.9.4 (and older?)
Vuln: Remote format string
BugFinder: Tomasz Trojanowski (onestep)
Author: Damian Put <pucik cc-team org> www.CC-Team.org
Date: Dec 23, 2004
"SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio
system. Thousands of broadcasters around the world are waiting for you to
tune in and listen"
Remote exploitation of a format string vulnerability could allow execution
of arbitrary code.
A part of request, which was sent by attacker to server, would be included
in second arg of sprintf() function (0x0804adc3 in linux binary). It is
obviously not good from a security viewpoint. We can crash SHOUTcast in a
very easy way, using following request:
Or reach remote shell thanks to attached exploit`s code.
Tomasz Trojanowski for information about vulnerability
*** SEE URL ***
Chris White, please verify/advise.
*** Bug 75695 has been marked as a duplicate of this bug. ***
Ugh, I checked the forum and there's a link to the exact same exploit announcement. Seems nullsoft is taking the clueless route or something. I've package.mask'ed this accordingly.
Do we need a masking GLSA for this one?
I would say yes. If there is an remote exec exploit out there and upstream doesn't care, users should be warned against it.
A masking GLSA will be issued.
- - -
We're pleased to announce the immediate release of SHOUTcast DNAS 1.9.5. This release corrects a buffer overflow when parsing requests, which could cause the SHOUTcast process to crash and potentially allow remote access to the host it was running on. We STRONGLY URGE you to upgrade to 1.9.5 ASAP.
- - -
ChrisWhite, please bump/unmask.
Marked on my side. AMD64 needs marking though. Once that's done I'll unmask.
stable amd64... ready for GLSA
Changing to GLSA status. Chris, please unmask package.