Nullsoft SHOUTcast File Request Format String Vulnerability
BID:12096
Info
Nullsoft SHOUTcast File Request Format String Vulnerability
| Bugtraq ID: | 12096 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-1373 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 23 2004 12:00AM |
| Updated: | Jul 12 2009 09:26AM |
| Credit: | Discovery is credited to Tomasz Trojanowski. |
| Vulnerable: |
NullSoft Shoutcast Server 1.9.4 Win32 NullSoft Shoutcast Server 1.9.4 Mac OS X NullSoft Shoutcast Server 1.9.4 Linux |
| Not Vulnerable: |
NullSoft Shoutcast Server 1.9.5 Win32 NullSoft Shoutcast Server 1.9.5 Mac OS X NullSoft Shoutcast Server 1.9.5 Linux |
Discussion
Nullsoft SHOUTcast File Request Format String Vulnerability
Nullsoft SHOUTcast is prone to a remotely exploitable format string vulnerability. The vulnerability is exposed when the server attempts to handle a client request for a file.
Successful exploitation may allow execution of arbitrary code in the context of the server process. This could also be exploited to crash the server and, possibly, to read process memory (which could increase reliability of an exploit).
This issue was reported to exist in version 1.9.4 on Linux. It is likely that versions for other platforms are also affected by the vulnerability, though it is not known to what degree they are exploitable. Earlier versions of the software are also likely affected.
Nullsoft SHOUTcast is prone to a remotely exploitable format string vulnerability. The vulnerability is exposed when the server attempts to handle a client request for a file.
Successful exploitation may allow execution of arbitrary code in the context of the server process. This could also be exploited to crash the server and, possibly, to read process memory (which could increase reliability of an exploit).
This issue was reported to exist in version 1.9.4 on Linux. It is likely that versions for other platforms are also affected by the vulnerability, though it is not known to what degree they are exploitable. Earlier versions of the software are also likely affected.
Exploit / POC
Nullsoft SHOUTcast File Request Format String Vulnerability
Exploit was submitted.
Exploit code shoutcast194_exp.c was submitted by jsk exworm <exworm.hostrocket.com>.
The shoutcast_format_win32.pm exploit is available for Metasploit.
A new exploit is available:
http://www.securityfocus.com/data/vulnerabilities/exploits/shoutcast_expl.c
Exploit was submitted.
Exploit code shoutcast194_exp.c was submitted by jsk exworm <exworm.hostrocket.com>.
The shoutcast_format_win32.pm exploit is available for Metasploit.
A new exploit is available:
http://www.securityfocus.com/data/vulnerabilities/exploits/shoutcast_expl.c
Solution / Fix
Nullsoft SHOUTcast File Request Format String Vulnerability
Solution:
Gentoo has released an advisory to provide updates for this issue. Updates may be applied by running the following commands as the superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=media-sound/shoutcast-server-bin-1.9.5"
This issue has been addressed in version 1.9.5.
NullSoft Shoutcast Server 1.9.4 Win32
NullSoft Shoutcast Server 1.9.4 Mac OS X
NullSoft Shoutcast Server 1.9.4 Linux
Solution:
Gentoo has released an advisory to provide updates for this issue. Updates may be applied by running the following commands as the superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=media-sound/shoutcast-server-bin-1.9.5"
This issue has been addressed in version 1.9.5.
NullSoft Shoutcast Server 1.9.4 Win32
-
NullSoft SHOUTcast Server 1.9.5
http://www.shoutcast.com/download/files.phtml
NullSoft Shoutcast Server 1.9.4 Mac OS X
-
NullSoft SHOUTcast Server 1.9.5
http://www.shoutcast.com/download/files.phtml
NullSoft Shoutcast Server 1.9.4 Linux
-
NullSoft SHOUTcast Server 1.9.5
http://www.shoutcast.com/download/files.phtml
References
Nullsoft SHOUTcast File Request Format String Vulnerability
References:
References:
- Shoutcast Homepage (Nullsoft)
- SHOUTcast remote format string vulnerability (Damian Put
)