Heap overflow in PeerCast 0.1217

2007.12.20
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

####################################################################### Luigi Auriemma Application: PeerCast http://www.peercast.org Versions: <= 0.1217 and SVN <= 344 Platforms: Windows, plugin for Winamp, Linux and Mac Bug: heap overflow Exploitation: remote Date: 17 Dec 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== PeerCast is a multi platform open source software for peer2peer radio streaming. The broadcasters are visible at http://yp.peercast.org ####################################################################### ====== 2) Bug ====== The handshakeHTTP function which handles all the requests received by the other clients is vulnerable to a heap overflow which allows an attacker to fill the loginPassword and loginMount buffers located in the Servent class with how much data he wants. From servhs.cpp: void Servent::handshakeHTTP(HTTP &http, bool isHTTP) { char *in = http.cmdLine; ... }else if (http.isRequest("SOURCE")) { if (!isAllowed(ALLOW_BROADCAST)) ... mount = in+strlen(in); while (*--mount) if (*mount == '/') { mount[-1] = 0; // password preceeds break; } strcpy(loginPassword,in+7); .. if (mount) strcpy(loginMount,mount); ... ALLOW_BROADCAST ("allowBroadcast" in peercast.ini) is enabled by default. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/peercasthof.zip ####################################################################### ====== 4) Fix ====== Version 0.1218 or SVN 347 ####################################################################### --- Luigi Auriemma http://aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top