Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 75482 - media-sound/shoutcast-server-bin: Remote code execution
Summary: media-sound/shoutcast-server-bin: Remote code execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B1 [glsa] lewk
Keywords:
: 75695 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-12-23 14:21 UTC by Luke Macken (RETIRED)
Modified: 2005-01-05 07:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-12-23 14:21:54 UTC
Product:    SHOUTcast v1.9.4 (and older?)
Vendor:     http://www.shoutcast.com
Vuln:       Remote format string
BugFinder:  Tomasz Trojanowski (onestep)
Author:     Damian Put <pucik cc-team org> www.CC-Team.org
Date:       Dec 23, 2004


1. BACKGROUND

"SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio
system. Thousands of broadcasters around the world are waiting for you to
tune in and listen"


2. DESCRIPTION

Remote exploitation of a format string vulnerability could allow execution
of arbitrary code.

A part of request, which was sent by attacker to server, would be included
in second arg of sprintf() function (0x0804adc3 in linux binary). It is
obviously not good from a security viewpoint. We can crash SHOUTcast in a
very easy way, using following request:

http://host:8000/content/%n.mp3

Or reach remote shell thanks to attached exploit`s code.


3. CREDIT

Special thanks: 
Tomasz Trojanowski for information about vulnerability


4. EXPLOIT

*** SEE URL ***
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-23 14:23:14 UTC
Chris White, please verify/advise.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-12-26 08:58:55 UTC
*** Bug 75695 has been marked as a duplicate of this bug. ***
Comment 3 Chris White (RETIRED) gentoo-dev 2004-12-26 21:26:24 UTC
Ugh, I checked the forum and there's a link to the exact same exploit announcement.  Seems nullsoft is taking the clueless route or something.  I've package.mask'ed this accordingly.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-26 22:54:16 UTC
Do we need a masking GLSA for this one?
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-27 09:54:52 UTC
I would say yes. If there is an remote exec exploit out there and upstream doesn't care, users should be warned against it.
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-12-29 06:31:19 UTC
A masking GLSA will be issued.
Comment 7 Luke Macken (RETIRED) gentoo-dev 2005-01-03 07:31:07 UTC
- - -
We're pleased to announce the immediate release of SHOUTcast DNAS 1.9.5. This release corrects a buffer overflow when parsing requests, which could cause the SHOUTcast process to crash and potentially allow remote access to the host it was running on. We STRONGLY URGE you to upgrade to 1.9.5 ASAP.
- - -

ChrisWhite, please bump/unmask.
Comment 8 Chris White (RETIRED) gentoo-dev 2005-01-03 12:58:43 UTC
Marked on my side.  AMD64 needs marking though.  Once that's done I'll unmask.
Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-04 04:50:37 UTC
stable amd64... ready for GLSA
Comment 10 Luke Macken (RETIRED) gentoo-dev 2005-01-04 05:38:56 UTC
Changing to GLSA status.  Chris, please unmask package.
Comment 11 Luke Macken (RETIRED) gentoo-dev 2005-01-05 07:27:47 UTC
GLSA 200501-04