Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » SHOUTcast 1.8.9 remote bufferoverflow

SHOUTcast 1.8.9 remote bufferoverflow

by Nikola Strahija on June 4th, 2002 Nullsoft's SHOUTcast 1.8.9 contains a bufferoverflow that is remotely exploitable. This allows a malicious DJ to gain unauthorized shell access to the system.


The attacker must know the DJ password in order to exploit this
vulnerability. This will limit the impact of the bug, however
if for example the shoutcast server is running as root, a DJ
can obtain root privileges.

An attacker is able to overwrite stackdata, including the saved eip
register by sending the following data to port 8001:

passwordn
icy-name: netric
icy-[doesn't matter]: [buffer]

The icy-name buffer can be overflowed too, but this buffer is not
stored on the stack.

[2] Vulnerable

version | vulnerable | exploitable |
WIN32 Console/GUI v1.8.9 | yes | not tested |
FreeBSD 4.x v1.8.9 | yes | yes |
Linux (glibc) v1.8.9 | yes | yes |
Mac OS X v1.8.9 | not tested | not tested |
Solaris Sparc 2.x v1.8.9 | not tested | not tested |

[3] The exploit

A remote exploit for 1.8.9 (linux) can be found at:
http://www.netric.org/exploits/mayday-linux.c

[4] Vendor response

This issue is fixed in shoutcast 1.8.12.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »