####################################################################### Luigi Auriemma Application: PeerCast http://www.peercast.org Versions: <= 0.1217 and SVN <= 344 Platforms: Windows, plugin for Winamp, Linux and Mac Bug: heap overflow Exploitation: remote Date: 17 Dec 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== PeerCast is a multi platform open source software for peer2peer radio streaming. The broadcasters are visible at http://yp.peercast.org ####################################################################### ====== 2) Bug ====== The handshakeHTTP function which handles all the requests received by the other clients is vulnerable to a heap overflow which allows an attacker to fill the loginPassword and loginMount buffers located in the Servent class with how much data he wants. From servhs.cpp: void Servent::handshakeHTTP(HTTP &http, bool isHTTP) { char *in = http.cmdLine; ... }else if (http.isRequest("SOURCE")) { if (!isAllowed(ALLOW_BROADCAST)) ... mount = in+strlen(in); while (*--mount) if (*mount == '/') { mount[-1] = 0; // password preceeds break; } strcpy(loginPassword,in+7); .. if (mount) strcpy(loginMount,mount); ... ALLOW_BROADCAST ("allowBroadcast" in peercast.ini) is enabled by default. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/peercasthof.zip ####################################################################### ====== 4) Fix ====== Version 0.1218 or SVN 347 ####################################################################### --- Luigi Auriemma http://aluigi.org