OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eSDee (eSDeenetric.org)
Date: Tue Jun 04 2002 - 12:32:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Netric Security Team - http://www.netric.org
    by eSDee

    SHOUTcast 1.8.9 remote bufferoverflow
    Type: Stack Overflow
    Priority: 2

    [1] Description
    [2] Vulnerable
    [3] The exploit
    [4] Vendor response

    [1] Description

    Nullsoft's SHOUTcast 1.8.9 contains a bufferoverflow that is remotely
    exploitable. This allows a malicious DJ to gain unauthorized shell
    access to the system.

    The attacker must know the DJ password in order to exploit this
    vulnerability. This will limit the impact of the bug, however
    if for example the shoutcast server is running as root, a DJ
    can obtain root privileges.

    An attacker is able to overwrite stackdata, including the saved eip
    register by sending the following data to port 8001:

    password\n
    icy-name: netric
    icy-[doesn't matter]: [buffer]

    The icy-name buffer can be overflowed too, but this buffer is not
    stored on the stack.

    [2] Vulnerable

    version | vulnerable | exploitable |
    WIN32 Console/GUI v1.8.9 | yes | not tested |
    FreeBSD 4.x v1.8.9 | yes | yes |
    Linux (glibc) v1.8.9 | yes | yes |
    Mac OS X v1.8.9 | not tested | not tested |
    Solaris Sparc 2.x v1.8.9 | not tested | not tested |

    [3] The exploit

    A remote exploit for 1.8.9 (linux) can be found at:
    http://www.netric.org/exploits/mayday-linux.c

    [4] Vendor response

    This issue is fixed in shoutcast 1.8.12.