Code execution in Icecast 2.0.1

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 09/28/04

  • Next message: Crispin Cowan: "Re: New whitepaper "The Phishing Guide"" 
    Date: Tue, 28 Sep 2004 18:49:43 +0000
To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com, vuln@secunia.com

    #######################################################################

                                 Luigi Auriemma

    Application: Icecast
                  http://www.icecast.org
    Versions: <= 2.0.1
    Platforms: only Win32 seems vulnerable but other platforms could be
                  affected in some conditions
    Bug: array overflow
    Risk: critical
    Exploitation: remote
    Date: 28 September 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Icecast is an audio broadcast system that streams music in both MP3 and
    Ogg Vorbis format.

    #######################################################################

    ======
    2) Bug
    ======

    The Icecast server accepts a maximum of 32 headers in the clients HTTP
    request.

    In some environments (like in Win32) a request with more than 31
    headers causes the overwriting of the return address of the vulnerable
    function with a pointer to the beginning of the 32th header.

    In short, is possible to execute remote code simply using the normal
    HTTP request plus 31 headers followed by a shellcode that will be
    executed directly without the need of calling/jumping to registers or
    addresses or using other annoying techniques.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/iceexec.zip

    #######################################################################

    ======
    4) Fix
    ======

    Version 2.0.2

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org

  • Next message: Crispin Cowan: "Re: New whitepaper "The Phishing Guide""

    Relevant Pages

    • [Full-Disclosure] Code execution in Icecast 2.0.1
      ... Application: Icecast ... Bug ... The Icecast server accepts a maximum of 32 headers in the clients HTTP ... is possible to execute remote code simply using the normal ...
      (Full-Disclosure)
    • Code execution in Icecast 2.0.1
      ... Application: Icecast ... Bug ... The Icecast server accepts a maximum of 32 headers in the clients HTTP ... is possible to execute remote code simply using the normal ...
      (Full-Disclosure)
    • [Full-Disclosure] Icecast 2.0.0 preauth overflow
      ... There exists a remotely exploitable heap overflow in Icecast 2.0.0. ... The bug exists in the handling of base64 Authorization request. ...
      (Full-Disclosure)
    • icecast 1.3.11 remote shell/root exploit - #temp
      ... I'm feeling rather homicidal today so I'm killing a bug. ... It has been a good friend to all of us. ... There is a remotely exploitable buffer overflow in all versions of the Icecast ...
      (Bugtraq)