SHOUTcast remote format string vulnerability - Page 2

MegaRock · 26th December 2004, 22:06

If you tested your servers at Fast-Serv they already patched their Linux copies - was working with Randy Christmas Eve. His were hex edited. The Linux version is indeed vunerable.

DJ AmPs · 27th December 2004, 00:44

Indeed.

I just did some testing on my own and discovered that a couple of my private Linux relays running 1.9.2 (never got around to updating them) don't fall for the %n trick.

It would be much easier for some of the less tech savvy broadcasters to simply "downgrade" to 1.9.2.

MegaRock · 27th December 2004, 01:20

Good call. Here are links to download the 1.9.2 series:

Windows:
http://www.shoutcast.com/downloads/s...-2-windows.exe

FreeBSD:
http://www.shoutcast.com/downloads/s...sd4-elf.tar.gz

Linux:
http://www.shoutcast.com/downloads/s...-glibc6.tar.gz

Mac:
http://www.shoutcast.com/downloads/s...-macosx.tar.gz

Solaris:
http://shoutcast.com/downloads/sc1-9...s-sparc.tar.gz

WatchLive · 27th December 2004, 12:35

I got a crash even with :
iptables -A INPUT -d <ip of server> -p tcp -m length --length 0:50 --dport 8000

DJ AmPs · 27th December 2004, 17:32

The can still crash the server with a short request. The iptables rule prevents the bindshell exploit which is a long request. Like stated a couple times in this thread, security must be applied in layers. Thers is no single magic bullet.

angelo88 · 27th December 2004, 18:18

after googling around, version 1.9.2 seems barely secure,
has the binary actually been patched for any of those bugs ?

thetron · 27th December 2004, 18:45

Hmm Hitzradio.com just went magically down

The playlist file for Hr.com goes directly to the content folder. You'd only had to put the bit of code in. Walla server died

Doesn't seem to work with Live radio Dj'in or NVS stations

Quote:

version 1.9.2 seems barely secure,

I second that!

MegaRock · 27th December 2004, 19:26

Quote:

Originally posted by DJ Killer
Well crap. Do you know what lines he had modified to prevent the exploit?

If you need an edited one let me know, I have fixed some up for a few people I know as a temporary fix until Nullsoft releases something official which from word I received is trying to be accomplished.

Note: Use PM or contact through my site. I'm not posting this in the forums as I'm sure it's against the EULA.

Hethrir · 27th December 2004, 19:59

Hi,

I haven´t seen any answers to my previous question so I´ll try again, Sorry if I´m being pushy :-/

Am I safe if the content dir doesn´t exixt ( ./content ) And The line from the .conf file is commented out like this:

; ContentDir=./content

Thanks in advance
Hethrir

Quote:

Originally posted by Hethrir
Will this affect me if the "ContentDir" line is commented out in the config ?

It´s like this in my config:

; ContentDir=./content

Hethrir · 27th December 2004, 23:05

k ... I Changed 3 references to "/content" in the binary to s-g else

The server is running after that change.

The dir is not creates and thi Contentdir line is commented out in the conf.

is there anyone who could "test me" to se if I´m still vulnerable ?

Let me know :-)

MegaRock · 28th December 2004, 04:40

Just download the new version from the download area. An official patched version has been released.

WatchLive · 28th December 2004, 18:43

Did the .conf changed ? or only the sc_serv file ?
Can we still use the same .conf ?

bingo · 28th December 2004, 18:53

Yes WatchLive, you can use the same .conf file. Only sc_serv changed.

angelo88 · 28th December 2004, 22:30

thanks MegaRock, very much appreciated for a fast response.
Let us hope that no more dumb so-called "security-aware crews" suddenly put out a public exploit before warning the
vendor or maker about a possible exploit in their software
and panicking the whole community.

bored_womble · 28th December 2004, 23:22

I was in two minds to post this, but i thought i was worth the comment.

Although I am extremely happy that someone in AOL (Nullsoft) found time to produce a patch, top stuff guys, it would have been good if they could have released another version with the beta authentication turned on ... although it is kinda weird, may have opened up further doors for people to experiment with ? and perhaps push further than beta ?

I realise that the dev appears to be dead, but i am sure everyone here agrees it is still a top product, very simple, yet very very effective.

Anyway, thanks for the update and please ... start up the good work someone again ?

BW

dsvahn · 30th January 2006, 14:15

My server has crashed 4 times in a 2-day period. With the exact eror. When I saw the discussion here I noticed that you were refering to the shoutcastversion 1.9.4

I'm using 1.9.5 and have the same problem.
Isn't this solved yet?

dsvahn · 30th January 2006, 22:38

My bad, it was 1.9.4 the server used. Seems to work now with 1.9.5

26th December 2004, 22:06	#1
MegaRock Forum King Join Date: Jun 2003 Location: Inside my water bong Posts: 6,865	If you tested your servers at Fast-Serv they already patched their Linux copies - was working with Randy Christmas Eve. His were hex edited. The Linux version is indeed vunerable. Megarock Radio - St. Louis Since 1998! Don't click this link! Corporate Radio Sucks! No suits, all rock!

27th December 2004, 00:44	#2
DJ AmPs Major Dude Join Date: Mar 2002 Location: g Posts: 1,603	Indeed. I just did some testing on my own and discovered that a couple of my private Linux relays running 1.9.2 (never got around to updating them) don't fall for the %n trick. It would be much easier for some of the less tech savvy broadcasters to simply "downgrade" to 1.9.2. BB 192k Mp3 HIGH DEFINITION \| BB 24k Mp3 \| BB 20k WMA \| BB Community __________________________ My Host - Fast-Serv.com \| Free Shoutcast Hosting - Coming Soon...

27th December 2004, 01:20	#3
MegaRock Forum King Join Date: Jun 2003 Location: Inside my water bong Posts: 6,865	Good call. Here are links to download the 1.9.2 series: Windows: http://www.shoutcast.com/downloads/s...-2-windows.exe FreeBSD: http://www.shoutcast.com/downloads/s...sd4-elf.tar.gz Linux: http://www.shoutcast.com/downloads/s...-glibc6.tar.gz Mac: http://www.shoutcast.com/downloads/s...-macosx.tar.gz Solaris: http://shoutcast.com/downloads/sc1-9...s-sparc.tar.gz Megarock Radio - St. Louis Since 1998! Don't click this link! Corporate Radio Sucks! No suits, all rock!

27th December 2004, 17:32	#5
DJ AmPs Major Dude Join Date: Mar 2002 Location: g Posts: 1,603	The can still crash the server with a short request. The iptables rule prevents the bindshell exploit which is a long request. Like stated a couple times in this thread, security must be applied in layers. Thers is no single magic bullet. BB 192k Mp3 HIGH DEFINITION \| BB 24k Mp3 \| BB 20k WMA \| BB Community __________________________ My Host - Fast-Serv.com \| Free Shoutcast Hosting - Coming Soon...

28th December 2004, 04:40	#11
MegaRock Forum King Join Date: Jun 2003 Location: Inside my water bong Posts: 6,865	Just download the new version from the download area. An official patched version has been released. Megarock Radio - St. Louis Since 1998! Don't click this link! Corporate Radio Sucks! No suits, all rock!

27th December 2004, 12:35	#4
WatchLive Member Join Date: Sep 2004 Posts: 63	I got a crash even with : iptables -A INPUT -d <ip of server> -p tcp -m length --length 0:50 --dport 8000

27th December 2004, 18:18	#6
angelo88 Junior Member Join Date: Dec 2004 Location: Belgium Posts: 2	after googling around, version 1.9.2 seems barely secure, has the binary actually been patched for any of those bugs ?

27th December 2004, 23:05	#10
Hethrir Junior Member Join Date: Dec 2004 Posts: 3	k ... I Changed 3 references to "/content" in the binary to s-g else The server is running after that change. The dir is not creates and thi Contentdir line is commented out in the conf. is there anyone who could "test me" to se if I´m still vulnerable ? Let me know :-)

28th December 2004, 18:43	#12
WatchLive Member Join Date: Sep 2004 Posts: 63	Did the .conf changed ? or only the sc_serv file ? Can we still use the same .conf ?

28th December 2004, 18:53	#13
bingo Major Dude Join Date: Sep 2004 Posts: 754	Yes WatchLive, you can use the same .conf file. Only sc_serv changed.

28th December 2004, 22:30	#14
angelo88 Junior Member Join Date: Dec 2004 Location: Belgium Posts: 2	thanks MegaRock, very much appreciated for a fast response. Let us hope that no more dumb so-called "security-aware crews" suddenly put out a public exploit before warning the vendor or maker about a possible exploit in their software and panicking the whole community.

28th December 2004, 23:22	#15
bored_womble Winamp's Womble Join Date: May 2004 Location: Wimbledon Common Posts: 1,100	I was in two minds to post this, but i thought i was worth the comment. Although I am extremely happy that someone in AOL (Nullsoft) found time to produce a patch, top stuff guys, it would have been good if they could have released another version with the beta authentication turned on ... although it is kinda weird, may have opened up further doors for people to experiment with ? and perhaps push further than beta ? I realise that the dev appears to be dead, but i am sure everyone here agrees it is still a top product, very simple, yet very very effective. Anyway, thanks for the update and please ... start up the good work someone again ? BW Without open minds the world will die. Open yours and correct the mistakes you are making right now.

30th January 2006, 14:15	#16
dsvahn Junior Member Join Date: Jan 2006 Location: Sweden Posts: 2	My server has crashed 4 times in a 2-day period. With the exact eror. When I saw the discussion here I noticed that you were refering to the shoutcastversion 1.9.4 I'm using 1.9.5 and have the same problem. Isn't this solved yet?

30th January 2006, 22:38	#17
dsvahn Junior Member Join Date: Jan 2006 Location: Sweden Posts: 2	My bad, it was 1.9.4 the server used. Seems to work now with 1.9.5

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode