SHOUTcast remote format string vulnerability

JimmyF · 24th December 2004, 03:30

Hi,

The following was posted to the Bugtraq security mailing list early this morning:

Product: SHOUTcast v1.9.4 (and older?)
Vendor: http://www.shoutcast.com
Vuln: Remote format string
BugFinder: Tomasz Trojanowski (onestep)
Author: Damian Put <pucik@cc-team.org> www.CC-Team.org
Date: Dec 23, 2004

1. BACKGROUND

"SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio
system. Thousands of broadcasters around the world are waiting for you to
tune in and listen"

2. DESCRIPTION

Remote exploitation of a format string vulnerability could allow execution
of arbitrary code.

A part of request, which was sent by attacker to server, would be included
in second arg of sprintf() function (0x0804adc3 in linux binary). It is
obviously not good from a security viewpoint. We can crash SHOUTcast in a
very easy way, using following request:

http://host:8000/content/%n.mp3

Or reach remote shell thanks to attached exploit`s code.
---------------------------------

Sure enough, the attached code gives you a remote shell of the user that ran the shoutcast process.

Do the authors know of this?
when will this be fixed?
IMHO this is very high priority.

24th December 2004, 03:30	#1
JimmyF Junior Member Join Date: Dec 2004 Location: Australia Posts: 2	SHOUTcast remote format string vulnerability Hi, The following was posted to the Bugtraq security mailing list early this morning: Product: SHOUTcast v1.9.4 (and older?) Vendor: http://www.shoutcast.com Vuln: Remote format string BugFinder: Tomasz Trojanowski (onestep) Author: Damian Put <pucik@cc-team.org> www.CC-Team.org Date: Dec 23, 2004 1. BACKGROUND "SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio system. Thousands of broadcasters around the world are waiting for you to tune in and listen" 2. DESCRIPTION Remote exploitation of a format string vulnerability could allow execution of arbitrary code. A part of request, which was sent by attacker to server, would be included in second arg of sprintf() function (0x0804adc3 in linux binary). It is obviously not good from a security viewpoint. We can crash SHOUTcast in a very easy way, using following request: http://host:8000/content/%n.mp3 Or reach remote shell thanks to attached exploit`s code. --------------------------------- Sure enough, the attached code gives you a remote shell of the user that ran the shoutcast process. Do the authors know of this? when will this be fixed? IMHO this is very high priority.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode