SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Icecast Vendors:   Icecast.org
Icecast XSL Parser Lets Local Users Gain Elevated Privileges and Discloses XSL Files to Remote Users
SecurityTracker Alert ID:  1013475
SecurityTracker URL:  http://securitytracker.com/id/1013475
CVE Reference:   CVE-2005-0837, CVE-2005-0838   (Links to External Site)
Updated:  Apr 19 2005
Original Entry Date:  Mar 19 2005
Impact:   Disclosure of user information, Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 2.20
Description:   Several vulnerabilities were reported in Icecast in the XSL parser. A local user may be able to obtain elevated privileges. A remote user can obtain XSL files.

A local user can create a specially crafted XSL file that, when loaded by the target user, will execute arbitrary code with the privileges of the target user [CVE: CVE-2005-0838]. Some demonstration exploit contents are provided:

<xsl:when test="<lots of chars>"></xsl:when>
<xsl:if test="<lots of chars>"></xsl:if>
<xsl:value-of select="<lots of chars>" />

A remote user can bypass access controls to obtain certain XML files using the following type of requests [CVE: CVE-2005-0837]:

GET /auth.xsl. HTTP/1.0
GET /status.xsl. HTTP/1.0

Patrick Thomassen reported this vulnerability.

Impact:   A local user may be able to gain elevated privileges.

A remote user can obtain XSL files.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.icecast.org/ (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  IceCast up to v2.20 multiple vulnerabilities




These are tested on IceCast v2.20. This software can be freely obtained from http://www.icecast.org.

"Icecast is a streaming media server which currently supports Ogg 
Vorbis and MP3 audio streams. It can be used to create an Internet 
radio station or a privately running jukebox and many things in 
between. It is very versatile in that new formats can be added 
relatively easily and supports open standards for commuincation and 
interaction."

1) The XSL parser has some unchecked buffers (local), but they dont seem to be exploitable. If they are, they can be used for priviledge
 escalation, under the user that the server runs.

<xsl:when test="<lots of chars>"></xsl:when>
<xsl:if test="<lots of chars>"></xsl:if>
<xsl:value-of select="<lots of chars>" />

2) Cause XSL parser error "Could not parse XSLT file". (Not very useful).

GET /status.xsl> HTTP/1.0
GET /status.xsl< HTTP/1.0
GET /<status.xsl HTTP/1.0

3) XSL parser bypass. (Useful to steal customized XSL files, lol).

GET /auth.xsl. HTTP/1.0
GET /status.xsl. HTTP/1.0

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC