Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Takuo KITAME <kitame@debian.org>.
(full text, mbox, link).
Package: gnome-peercast
Version: 0.5.4-1.1
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
Hi,
I found a security issue in the peercast server which also
affects gnome-peercast. I contacted the upstream author of
peercast 6 days ago without any reply so far.
Here are the details:
From core/common/http.cpp:
105 void HTTP::getAuthUserPass(char *user, char *pass)
106 {
107 if (arg)
108 {
109 char *s = stristr(arg,"Basic");
110 if (s)
111 {
112 while (*s)
113 if (*s++ == ' ')
114 break;
115 String str;
116 str.set(s,String::T_BASE64);
117 str.convertTo(String::T_ASCII);
118 s = strstr(str.cstr(),":");
119 if (s)
120 {
121 *s = 0;
122 if (user)
123 strcpy(user,str.cstr());
124 if (pass)
125 strcpy(pass,s+1);
This function is used if authentication to the gnome-peercast server is done by basic http auth
which is the case in the standard configuration of gnome-peercast.
In line 116 the base64 encoded string is copied into str.
Note the set method is peercasts/gnome-peercasts own implementation of set
since it reimplements the String class. set looks like this:
From core/common/sys.h:
38 MAX_LEN = 256
...
62 void set(const char *p, TYPE t=T_ASCII)
63 {
64 strncpy(data,p,MAX_LEN-1);
65 data[MAX_LEN-1] = 0;
66 type = t;
67 }
In line 117 the string gets decoded and in line 118 and
following the part before ':' in the decoded string gets copied
into user and the part after it into pass.
From core/common/servhs.cpp:
558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local)
559 {
560 char user[64],pass[64];
561 user[0] = pass[0] = 0;
...
580 while (http.nextHeader())
581 {
582 char *arg = http.getArgStr();
583 if (!arg)
584 continue;
585
586 switch (servMgr->authType)
587 {
588 case ServMgr::AUTH_HTTPBASIC:
589 if (http.isHeader("Authorization"))
590 http.getAuthUserPass(user,pass);
591 break;
user and pass are only declared to have 64 bytes (line 558) while the buffer used for
copy can store up to MAX_LEN (256) bytes (ok minus the : here). Servent::handshakeAuth calls then
the getAuthUserPass function triggering a buffer overflow.
It's thus possible to crash the server and execute arbitrary code if the server
allows http-basic authentication.
I already requested a CVE id for this.
PoC attached.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>: Bug#478680; Package gnome-peercast.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>.
(full text, mbox, link).
retitle 478680 [gnome-peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function
retitle 478573 [peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function
thanks
Hi,
CVE-2008-2040 was assigned to that, please mention the CVE
id in the changelog if you fix this bug.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Changed Bug title to `[gnome-peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function' from `[gnome-peercast] remote stack-based buffer overflow in HTTP::getAuthUserPass function'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 14:45:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>: Bug#478680; Package gnome-peercast.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>.
(full text, mbox, link).
tags 478680 + patch
tags 478573 + patch
thanks
Hi,
attached is a patch to fix this issue.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 30 Apr 2008 16:18:22 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>: Bug#478680; Package gnome-peercast.
(full text, mbox, link).
Acknowledgement sent to Takuo Kitame <kitame@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>.
(full text, mbox, link).
Package: gnome-peercast
Version: 0.5.4-1.1etch0
It was been fixed for etch, the uploader forget to close the bug.
Thanks!
--
Marco Rodrigues
http://Marco.Tondela.org
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2008 07:35:03 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.