('binary' encoding is not supported, stored as-is) Netric Security Team - http://www.netric.org by eSDee SHOUTcast 1.8.9 remote bufferoverflow Type: Stack Overflow Priority: 2 [1] Description [2] Vulnerable [3] The exploit [4] Vendor response [1] Description Nullsoft's SHOUTcast 1.8.9 contains a bufferoverflow that is remotely exploitable. This allows a malicious DJ to gain unauthorized shell access to the system. The attacker must know the DJ password in order to exploit this vulnerability. This will limit the impact of the bug, however if for example the shoutcast server is running as root, a DJ can obtain root privileges. An attacker is able to overwrite stackdata, including the saved eip register by sending the following data to port 8001: password\n icy-name: netric icy-[doesn't matter]: [buffer] The icy-name buffer can be overflowed too, but this buffer is not stored on the stack. [2] Vulnerable version | vulnerable | exploitable | WIN32 Console/GUI v1.8.9 | yes | not tested | FreeBSD 4.x v1.8.9 | yes | yes | Linux (glibc) v1.8.9 | yes | yes | Mac OS X v1.8.9 | not tested | not tested | Solaris Sparc 2.x v1.8.9 | not tested | not tested | [3] The exploit A remote exploit for 1.8.9 (linux) can be found at: http://www.netric.org/exploits/mayday-linux.c [4] Vendor response This issue is fixed in shoutcast 1.8.12.
This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 13:10:34 PDT