 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Thu, 4 Apr 2002 13:51:51 +0000 (GMT+00:00) From: dizznutt@my.security.nl To: bugtraq@securityfocus.com Subject: Full analysis of multiple remotely exploitable bugs in Icecast 1.3.11 Cc: team@icecast.org, jack@xiph.org --Hushpart_boundary_dtTNKduRIGdnWcGUVeMlfRocRSpodbZz Content-type: text/plain Hello, Attached is a full analysis to accompany the earlier disclosed remote root/shell exploit for the Icecast mp3 streaming server. It also details some other exploitable bugs besides the one that is exploited with the supplied exploit and thus I believe has posting value. This write-up was mainly meant to aid the icecast developers in locating and eliminating the exact problems, but I can imagine it would be of some value to other interested parties as well. ltr, diz - #temp --Hushpart_boundary_dtTNKduRIGdnWcGUVeMlfRocRSpodbZz Content-Disposition: attachment Content-type: application/octet-stream; name="icecast.txt" Content-Transfer-Encoding: base64 WyBGdWxsIGFuYWx5c2lzIG9mIG11bHRpcGxlIEljZWNhc3QgMS4zLjExIHJlbW90ZWx5 IGV4cGxvaXRhYmxlIG92ZXJmbG93cyBdCgoJUGFyZG9uIG15IGxvdXN5IGZvcm1hdHRp bmcuLmJ1dCB0aGlzIHdhcyBqdXN0IGEgcXVpY2sgd3JpdGV1cAoKCk9rLi5JIGRpZCBz b21lIGRpZ2dpbmcgaW50byB3aGVyZSB0aGUgZXhhY3Qgb3ZlcmZsb3cgb2NjdXJzLiBB bmQKY2FtZSB1cCB3aXRoIHRoZSBmb2xsb3dpbmcgcmVzdWx0czoKClRoZSBiYWQgdm9v ZG9vIGhhcHBlbnMgd2hlbiB0aGUgZm9sbG93aW5nIGxpbmUgb2YgY29kZSBpcyBleGVj dXRlZC4KSSB0cmFja2VkIGRvd24gdGhlIGhvdyBhbmQgd2h5IGFuZCB3aWxsIHRyeSB0 byBleHBsYWluIGl0IGluIHRoaXMKdGV4dC4KCjxldmlsIGNvZGU+CmludCBkaWZmID0g dHJlZS0+Y21wIChpdGVtLCBwLT5kYXRhLCB0cmVlLT5wYXJhbSk7CjwvZXZpbCBjb2Rl PgoKCQlbIG90aGVyIGV4cGxvaXRhYmxlIGJ1Z3MgXQoKVGhpcyBsaW5lIGlzIGNhbGxl ZCBmcm9tIGF2bF9maW5kKCkgKGF2bC5jKSB3aGVuIGl0IGlzIGNhbGxlZCBmcm9tIApn ZXRfYWxpYXMoKSAoYWxpYXMuYykgd2hpY2ggaXMgaW4gdHVybiBjYWxsZWQgZnJvbSBm aW5kX21vdW50X3dpdGhfcmVxKCkgCihzb3VyY2UuYykuIEl0IHNob3VsZCBiZSBub3Rl ZCB0aGF0IGEgYml0IGZ1cnRoZXIgZG93biB0aGUgCnJvYWQgYSBzcHJpbnRmKCkgY2Fs bCBpbiBmaW5kX21vdW50X3dpdGhfcmVxKCkgY291bGQgYWxzbyBiZSAKZXhwbG9pdGVk IGlmIGFuZCB3aGVuIHRoZSBkaXNjdXNzZWQgYnVnIGluIHRoZSBhdmwgcm91dGluZSBp cyBmaXhlZC4gVGhpcwpwcm9ibGVtIHJlZ2FyZHMgdGhlIGZvbGxvd2luZyBsaW5lOgoK CnNwcmludGYocGF0aGJ1ZiwgIiVzOiVkJXMiLCByZXEtPmhvc3RbMF0gPyByZXEtPmhv c3QgOiAibG9jYWxob3N0IiwgCnJlcS0+cG9ydCwgcmVxLT5wYXRoKTsKCgpQYXRoYnVm IGJlaW5nIDgxOTIgYnl0ZXMuIHJlcS0+cGF0aCBhbHNvIGJlaW5nIGFibGUgdG8gZ2V0 IHVwIHRvIDgxOTIgCnVzZXItc3VwcGxpZWQgYnl0ZXMgdGh1cyB5b3UnZCBiZSBhYmxl IHRvIG92ZXJmbG93IHBhdGhidWYgYm91bmRzIGJ5IApzdHJsZW4ocmVxLT5ob3N0KSAr IHJlcS0+cG9ydCBieXRlcy4gV2hpY2gsIGlmIHlvdSB0YWtlIHRoZSBkZWZhdWx0ICJs b2NhbGhvc3QiIAphbmQgYSBoaWdoIHBvcnQgaXMgZW5vdWdoIHRvIHJlYWNoIGFuZCBv dmVyd3JpdGUgZWJwIGFuZCBlaXAgbG9jYXRlZCBiZWhpbmQgCnBhdGhidWZbQlVGU0la XS4gCgoJWyB0aGUgZXhwbG9pdGVkIGJ1ZyBpbiBxdWVzdGlvbiBdCgpPayBvbnRvIHRo ZSBwYXJ0aWN1bGFycyBvZiB0aGUgYnVnIEkgZXhwbG9pdC4uLgoKYXZsX2ZpbmQoKSBp cyBjYWxsZWQgYXMgZm9sbG93cyBmcm9tIHdpdGhpbiBnZXRfYWxpYXMoKQoKaWYgKCFy ZXMpIHsKCXNlYXJjaC5uYW1lID0gcmVxOwoJcmVzID0gYXZsX2ZpbmQgKGluZm8uYWxp YXNlcywgJnNlYXJjaCk7Cn0KClsgc3RydWN0dXJlcyBdCgpzZWFyY2gubmFtZSBpcyBh IG1lbWJlciBmcm9tIGFuIGFsaWFzX3Qgc3RydWN0dXJlIHdoaWNoIGxvb2tzIGxpa2Ug CnRoaXM6Cgp0eXBlZGVmIHN0cnVjdCBhbGlhc19TdAp7CiAgICAgICAgcmVxdWVzdF90 ICpuYW1lOwogICAgICAgIHJlcXVlc3RfdCAqcmVhbDsKfSBhbGlhc190OwoKcmVxdWVz dF90IGxvb2tzIGxpa2UgdGhpczoKCnR5cGVkZWYgc3RydWN0IHJlcXVlc3RfU3QKewog ICAgICAgIGNoYXIgcGF0aFtCVUZTSVpFXTsKICAgICAgICBjaGFyIGhvc3RbQlVGU0la RV07CiAgICAgICAgaW50IHBvcnQ7Cn0gcmVxdWVzdF90OwoKCnNvIHNlYXJjaC5uYW1l IGlzIGp1c3QgYSByZXF1ZXN0X3Qgc3RydWN0dXJlLiB3aGljaCBpcyBhc3NpZ25lZCB0 aGUgdXNlciAKc3VwcGxpZWQgcmVxICh3aGljaCBjb250YWlucyB0aGUgc3VwcGxpZWQg b3ZlcmZsb3dzdHJpbmcgcmVxLT5wYXRoKTsKClNvIG5vdyBzZWFyY2gubmFtZS5wYXRo ID09IHJlcS5wYXRoLgoKCQlbIGF2bF9maW5kJ3MgZ3V0cyBdCgphdmxfZmluZCgpJ3Mg cHJvdG90eXBlIGlzOiAKCnZvaWQgKgphdmxfZmluZCAoYXZsX3RyZWUgKnRyZWUsIGNv bnN0IHZvaWQgKml0ZW0pCgpJdCBpcyBjYWxsZWQgYXM6CgphdmxfZmluZCAoaW5mby5h bGlhc2VzLCAmc2VhcmNoKTsKClRoZSBhdmxfdHJlZSBzdHJ1Y3R1cmUgbG9va3MgbGlr ZSB0aGlzOgoKdHlwZWRlZiBzdHJ1Y3QgYXZsX3RyZWUKICB7CiNpZiBQU1BQCiAgICBz dHJ1Y3QgYXJlbmEgKipvd25lcjsgICAgICAgLyogQXJlbmEgdG8gc3RvcmUgbm9kZXMu ICovCiNlbmRpZgogICAgYXZsX25vZGUgcm9vdDsgICAgICAgICAgICAgIC8qIFRyZWUg cm9vdCBub2RlLiAqLwogICAgYXZsX2NvbXBhcmlzb25fZnVuYyBjbXA7ICAgIC8qIFVz ZWQgdG8gY29tcGFyZSBrZXlzLiAqLwogICAgaW50IGNvdW50OyAgICAgICAgICAgICAg ICAgIC8qIE51bWJlciBvZiBub2RlcyBpbiB0aGUgdHJlZS4gKi8KICAgIHZvaWQgKnBh cmFtOyAgICAgICAgICAgICAgICAvKiBBcmJpdGFyeSB1c2VyIGRhdGEuICovCiAgICAg ICAgbXV0ZXhfdCBtdXRleDsgLyogdG8gcHJvdGVjdCB0aGUgdHJlZSAqLwogIH0KYXZs X3RyZWU7CgoJCVsgcG9pbnRpbmcgdG8gYW4gZXZpbCBmdW5jdGlvbiBdCgpUaGlzIHN0 cnVjdHVyZSBjb250YWlucyBhIGZ1bmN0aW9uIHBvaW50ZXIgY2FsbGVkIGNtcC4gSW4g dGhlIGNhc2Ugb2YgaW5mby5hbGlhc2VzLCAKd2hpY2ggaXMgdGhlIGZpcnN0IGF2bF90 cmVlIHN0cnVjdCBhcmd1bWVudCB0byBhdmxfZmluZCgpLCB0aGlzIGZ1bmN0aW9uIHBv aW50ZXIgaXMgCmEgcG9pbnRlciB0byBjb21wYXJlX2FsaWFzZXMoKSB3aGljaCBpcyBs b2NhdGVkIGluIGF2bF9mdW5jdGlvbnMuYy4gCgpJdCdzIHByb3RvdHlwZSBpcyBhcyBm b2xsb3dzOgoKaW50CmNvbXBhcmVfYWxpYXNlcyAoY29uc3Qgdm9pZCAqZmlyc3QsIGNv bnN0IHZvaWQgKnNlY29uZCwgdm9pZCAqcGFyYW0pCgpGcm9tIHdpdGhpbiBhdmxfZmlu ZCgpIGNvbXBhcmVfYWxpYXNlcygpIGlzIGNhbGxlZCB2aWEgdGhlIGZ1bmN0aW9uIApw b2ludGVyIHRyZWUtPmNtcCBpbiB0aGUgZm9sbG93aW5nIG1hbm5lcjoKCmludCBkaWZm ID0gdHJlZS0+Y21wIChpdGVtLCBwLT5kYXRhLCB0cmVlLT5wYXJhbSk7CgpJdGVtIGJl aW5nIHRoZSBzZWFyY2ggc3RydWN0dXJlLCB3aGljaCB3ZSBlc3RhYmxpc2hlZCBjb250 YWluZWQgdGhlIGZ1bGwgCnVzZXIgc3VwcGxpZWQgcmVxdWVzdCBwYXRoIGluIHRoZSBm b3JtIG9mIHNlYXJjaC5uYW1lLnBhdGg7CgoJCVsgaW5zaWRlIGNvbXBhcmVfYWxpYXNl cygpIF0KCk5vdyBpZiB3ZSB0YWtlIGEgbG9vayBhdCBjb21wYXJlX2FsaWFzZXMgd2Ug c2VlIHRoZSBmb2xsb3dpbmc6CgppbnQKY29tcGFyZV9hbGlhc2VzIChjb25zdCB2b2lk ICpmaXJzdCwgY29uc3Qgdm9pZCAqc2Vjb25kLCB2b2lkICpwYXJhbSkKewogICAgICAg IGFsaWFzX3QgKmExID0gKGFsaWFzX3QgKikgZmlyc3QsICphMiA9IChhbGlhc190ICop IHNlY29uZDsKICAgICAgICBjaGFyIGZ1bGxbQlVGU0laRV0sIGZ1bGwyW0JVRlNJWkVd OwoKICAgICAgICBpZiAoIWExIHx8ICFhMiB8fCAhYTEtPm5hbWUgfHwgIWEyLT5uYW1l IHx8ICFhMS0+bmFtZS0+aG9zdCB8fCBcCiFhMS0+bmFtZS0+cGF0aCB8fCAhYTItPm5h bWUtPmhvc3QgfHwgIWEyLT5uYW1lLT5wYXRoKQogICAgICAgIHsKICAgICAgICAgICAg ICAgIHdyaXRlX2xvZyAoTE9HX0RFRkFVTFQsICJXQVJOSU5HOiBOVUxMIHBvaW50ZXJz IGluIFwKY29tcGFyaXNvbiIpOwogICAgICAgICAgICAgICAgcmV0dXJuIC0xOwogICAg ICAgIH0KCiAgICAgICAgc3ByaW50ZiAoZnVsbCwgIiVzOiVkJXMiLCBhMS0+bmFtZS0+ aG9zdCwgYTEtPm5hbWUtPnBvcnQsIFwKYTEtPm5hbWUtPnBhdGgpOwogICAgICAgIHNw cmludGYgKGZ1bGwyLCAiJXM6JWQlcyIsIGEyLT5uYW1lLT5ob3N0LCBhMi0+bmFtZS0+ cG9ydCwgXAphMi0+bmFtZS0+cGF0aCk7CgogICAgICAgIHJldHVybiBpY2Vfc3RyY21w IChmdWxsLCBmdWxsMik7Cn0KCmExID09IGl0ZW0uIGExLT5uYW1lLT5wYXRoID09IHNl YXJjaC5uYW1lLnBhdGggd2hpY2ggZXF1YWxzIHRoZSB1c2VyIHN1cHBsaWVkCnJlcXVl c3QgcGF0aC4gCgpTbyBpbiBlc3NlbmNlIHdlIGhhdmUgdGhlIHNhbWUgc2l0dWF0aW9u IHRoYXQgSSB3YXJuIGFib3V0IGVhcmxpZXIgCmluIHRoaXMgdHh0LiBBbiBzcHJpbnRm IHRoYXQgd2lsbCBhbGxvdyBhIGJ1ZmZlciBvdmVyZmxvdyBvZiBmdWxsW0JVRlNJWkVd IAp3aXRoIHVzZXIgKHJlbW90ZWx5KSBzdXBwbGllZCBkYXRhLiBXaGljaCByZXN1bHRz IGluIGVicCBhbmQgZWlwIGJlaW5nIApvdmVyd3JpdHRlbiBhbmQgdGhlIGV4ZWN1dGlv biBvZiBhcmJpdHJhcnkgY29kZS4KCgkJCVsgY29uY2x1c2lvbiBdCgpQaGV3Li50aGlz IGhhcyBiZWVuIHF1aXRlIHRoZSB3aXRjaGh1bnQuLmJ1dCBJIGhvcGUgdGhpcyBoYXMg c2hlZCBzb21lIAptb3JlIGxpZ2h0IG9uIHRoZSBob3csIHRoZSB3aGF0IGFuZCB0aGUg ZXhhY3QgbG9jYXRpb24gb2YgdGhlIEljZWNhc3QgYnVnLiAKQXMgSSBzYWlkIHRoaXMg c2l0dWF0aW9uIG9jY3VycyBtYW55IHRpbWVzIHRocm91Z2hvdXQgdGhlIGljZWNhc3Qg c291cmNlIAphbmQgSSB3b3VsZCByZWNvbW1lbmQgcmVwbGFjaW5nIGFsbCB1bnNhZmUg c3RyaW5nIGZ1bmN0aW9ucyB3aXRoIG1vcmUgCmJvdW5kcyBhd2FyZSB2YXJpYW50cyB0 byBwcmV2ZW50IGFueSBmdXR1cmUgcHJvYmxlbXMuCgoJCQlXaXRoIHJlZ2FyZHMsCgkJ CWRpeiAtLSAjdGVtcAo= --Hushpart_boundary_dtTNKduRIGdnWcGUVeMlfRocRSpodbZz--
| |||||||||||||||||||||