####################################################################### Luigi Auriemma Application: Steamcast http://www.steamcast.com Versions: <= 0.9.75 Platforms: Windows, Linux, *BSD Bugs: A] NULL pointer in Content-Length B] Off-by-one in the HTTP request C] crash in OggHeaderParse Exploitation: remote Date: 24 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Steamcast is a free media server compatible with the SHOUTcast and Icecast2 protocol. ####################################################################### ======= 2) Bugs ======= --------------------------------- A] NULL pointer in Content-Length --------------------------------- Steamcast allocates the exactly amount of data specified by the Content-Length parameter sent by the client but there are no instructions which check if malloc fails leading to the crash after the usage of the resulted NULL pointer. --------------------------------- B] Off-by-one in the HTTP request --------------------------------- An off-by-one vulnerability is located in the instructions which handle the client's HTTP request. If this request has a total size of exactly 1328 bytes the server will crash during the placing of the final NULL byte outside the buffer. The success of the exploitation of this vulnerability depends by how has been compiled the program or by its platform, for example the Windows version crashes while the Linux one doesn't. -------------------------- C] crash in OggHeaderParse -------------------------- An integer overflow during the parsing of the OGG tags in OggHeaderParse leads to a crash caused by a memcpy with a big amount (signed negative -> unsigned) of bytes to copy. This vulnerable is post-auth since the attacker must have access (username and password) to the source mount. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/steamcazz.zip nc SERVER 8000 -v -v < file ####################################################################### ====== 4) Fix ====== Developer contacted, the bugs will be fixed probably in the next version. #######################################################################