SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Icecast Vendors:   Icecast.org
Icecast Buffer Overflow in Processing HTTP Headers Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1011439
SecurityTracker URL:  http://securitytracker.com/id/1011439
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 28 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.1 and prior versions
Description:   Luigi Auriemma reported an overflow vulnerability in Icecast. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can supply an HTTP request containing more than 32 header lines to trigger an overflow and execute arbitrary code.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/iceexec.zip

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the target Icecast service.
Solution:   The vendor has released a fixed version (2.0.2), available at:

http://www.icecast.org/download.php

Vendor URL:  www.icecast.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  May only affect Windows-based systems

Message History:   None.


 Source Message Contents

Subject:  Code execution in Icecast 2.0.1



#######################################################################

                             Luigi Auriemma

Application:  Icecast
              http://www.icecast.org
Versions:     <= 2.0.1
Platforms:    only Win32 seems vulnerable but other platforms could be
              affected in some conditions
Bug:          array overflow
Risk:         critical
Exploitation: remote
Date:         28 September 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Icecast is an audio broadcast system that streams music in both MP3 and
Ogg Vorbis format.


#######################################################################

======
2) Bug
======


The Icecast server accepts a maximum of 32 headers in the clients HTTP
request.

In some environments (like in Win32) a request with more than 31
headers causes the overwriting of the return address of the vulnerable
function with a pointer to the beginning of the 32th header.

In short, is possible to execute remote code simply using the normal
HTTP request plus 31 headers followed by a shellcode that will be
executed directly without the need of calling/jumping to registers or
addresses or using other annoying techniques.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/iceexec.zip


#######################################################################

======
4) Fix
======


Version 2.0.2


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC