[25658] in bugtraq
SHOUTcast 1.8.9 bufferoverflow
daemon@ATHENA.MIT.EDU (eSDee)
Tue Jun 4 16:10:32 2002
Date: 4 Jun 2002 17:32:12 -0000
Message-ID: <20020604173212.20146.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: eSDee <eSDee@netric.org>
To: bugtraq@securityfocus.com
Netric Security Team - http://www.netric.org
by eSDee
SHOUTcast 1.8.9 remote bufferoverflow
Type: Stack Overflow
Priority: 2
[1] Description
[2] Vulnerable
[3] The exploit
[4] Vendor response
[1] Description
Nullsoft's SHOUTcast 1.8.9 contains a bufferoverflow that is remotely
exploitable. This allows a malicious DJ to gain unauthorized shell
access to the system.
The attacker must know the DJ password in order to exploit this
vulnerability. This will limit the impact of the bug, however
if for example the shoutcast server is running as root, a DJ
can obtain root privileges.
An attacker is able to overwrite stackdata, including the saved eip
register by sending the following data to port 8001:
password\n
icy-name: netric
icy-[doesn't matter]: [buffer]
The icy-name buffer can be overflowed too, but this buffer is not
stored on the stack.
[2] Vulnerable
version | vulnerable | exploitable |
WIN32 Console/GUI v1.8.9 | yes | not tested |
FreeBSD 4.x v1.8.9 | yes | yes |
Linux (glibc) v1.8.9 | yes | yes |
Mac OS X v1.8.9 | not tested | not tested |
Solaris Sparc 2.x v1.8.9 | not tested | not tested |
[3] The exploit
A remote exploit for 1.8.9 (linux) can be found at:
http://www.netric.org/exploits/mayday-linux.c
[4] Vendor response
This issue is fixed in shoutcast 1.8.12.
