SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Multimedia)  >  Icecast Vendors:  Icecast.org
Icecast XSL Parser Lets Local Users Gain Elevated Privileges and Discloses XSL Files to Remote Users
SecurityTracker Alert ID:  1013475
SecurityTracker URL:  http://securitytracker.com/id?1013475
CVE Reference:  CAN-2005-0837 ,  CAN-2005-0838   (Links to External Site)
Updated:  Apr 19 2005
Original Entry Date:  Mar 19 2005
Impact:  Disclosure of user information, Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 2.20
Description:  Several vulnerabilities were reported in Icecast in the XSL parser. A local user may be able to obtain elevated privileges. A remote user can obtain XSL files.

A local user can create a specially crafted XSL file that, when loaded by the target user, will execute arbitrary code with the privileges of the target user [CVE: CAN-2005-0838]. Some demonstration exploit contents are provided:

<xsl:when test="<lots of chars>"></xsl:when>
<xsl:if test="<lots of chars>"></xsl:if>
<xsl:value-of select="<lots of chars>" />

A remote user can bypass access controls to obtain certain XML files using the following type of requests [CVE: CAN-2005-0837]:

GET /auth.xsl. HTTP/1.0
GET /status.xsl. HTTP/1.0

Patrick Thomassen reported this vulnerability.
Impact:  A local user may be able to gain elevated privileges.

A remote user can obtain XSL files.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.icecast.org/ (Links to External Site)
Cause:  Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Patrick <patrickthomassen@gmail.com>
Message History:   None.

 Source Message Contents
Date:  18 Mar 2005 22:31:14 -0000
From:  Patrick <patrickthomassen@gmail.com>
Subject:  IceCast up to v2.20 multiple vulnerabilities

 



These are tested on IceCast v2.20. This software can be freely obtained from http://www.icecast.org.

"Icecast is a streaming media server which currently supports Ogg 
Vorbis and MP3 audio streams. It can be used to create an Internet 
radio station or a privately running jukebox and many things in 
between. It is very versatile in that new formats can be added 
relatively easily and supports open standards for commuincation and 
interaction."

1) The XSL parser has some unchecked buffers (local), but they dont seem to be exploitable. If they a
re, they can be used for priviledge
 escalation, under the user that the server runs.

<xsl:when test="<lots of chars>"></xsl:when>
<xsl:if test="<lots of chars>"></xsl:if>
<xsl:value-of select="<lots of chars>" />

2) Cause XSL parser error "Could not parse XSLT file". (Not very useful).

GET /status.xsl> HTTP/1.0
GET /status.xsl< HTTP/1.0
GET /<status.xsl HTTP/1.0

3) XSL parser bypass. (Useful to steal customized XSL files, lol).

GET /auth.xsl. HTTP/1.0
GET /status.xsl. HTTP/1.0


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC