Secure testing team - Apr 2008 - Bug#478573: [peercast] stack-based buffer overflow in HTTP::getAuthUserPass function

Package: peercast
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

I found a security issue in the peercast server in the
HTTP::getAuthUserPass function. I already contacted the upstream author 6 days
ago and didn''t get an answer yet so I am publishing this now.

From core/common/http.cpp:

105 void HTTP::getAuthUserPass(char *user, char *pass)
106 {
107         if (arg)
108         {   
109                 char *s = stristr(arg,"Basic");
110                 if (s) 
111                 {   
112                         while (*s)
113                                 if (*s++ == '' '')
114                                         break;
115                         String str;
116                         str.set(s,String::T_BASE64);
117                         str.convertTo(String::T_ASCII);
118                         s = strstr(str.cstr(),":");
119                         if (s) 
120                         {   
121                                 *s = 0;
122                                 if (user)
123                                         strcpy(user,str.cstr());
124                                 if (pass)
125                                         strcpy(pass,s+1);

This function is used if authentication to the peercast server is done by basic
http auth
rather than by a cookie. In line 116 the base64 encoded string is copied into
str.
Note the set method is peercasts own implementation of set since it reimplements
the String
class. set looks like this:

From core/common/sys.h:
38                 MAX_LEN = 256 
...
62         void set(const char *p, TYPE t=T_ASCII)
63         {   
64                 strncpy(data,p,MAX_LEN-1);
65                 data[MAX_LEN-1] = 0;
66                 type = t;
67         }   

In line 117 the string gets decoded and in line 118 and 
following the part before '':'' in the decoded string gets
copied
into user and the part after it into pass.

From core/common/servhs.cpp:
558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local)
559 {
560         char user[64],pass[64];
561         user[0] = pass[0] = 0;
...
580     while (http.nextHeader())
581         {   
582                 char *arg = http.getArgStr();
583                 if (!arg)
584                         continue;
585
586                 switch (servMgr->authType)
587                 {   
588                         case ServMgr::AUTH_HTTPBASIC:
589                                 if
(http.isHeader("Authorization"))
590                                         http.getAuthUserPass(user,pass);
591                                 break;

user and pass are only declared to have 64 bytes (line 558) while the buffer
used for
copy can store up to MAX_LEN (256) bytes (ok minus the : here).
Servent::handshakeAuth calls then
the getAuthUserPass function triggering a buffer overflow.
It''s thus possible to crash the server and execute arbitrary code if
the server
allows http-basic authentication.

I already requested a CVE id for this.

An example configuration and PoC is attached.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------

[Server]
serverPort = 7144
autoServe = Yes
forceIP = 
isRoot = No
maxBitrateOut = 0
maxRelays = 2
maxDirect = 0
maxRelaysPerChannel = 0
firewallTimeout = 30
forceNormal = No
rootMsg = 
authType = http-basic
cookiesExpire = session
htmlPath = html/en
minPGNUIncoming = 10
maxPGNUIncoming = 20
maxServIn = 50
chanLog = 
networkID = 00000000000000000000000000000000

[Broadcast]
broadcastMsgInterval = 10
broadcastMsg = 
icyMetaInterval = 8192
broadcastID = 008145B5C0427118B595AF7D9E110000
hostUpdateInterval = 180
maxControlConnections = 3
rootHost = yp.peercast.org

[Client]
refreshHTML = 5
relayBroadcast = 30
minBroadcastTTL = 1
maxBroadcastTTL = 7
pushTries = 5
pushTimeout = 60
maxPushHops = 8
autoQuery = 0
queryTTL = 7

[Privacy]
password = s0mep4ss
maxUptime = 0

[Filter]
ip = 255.255.255.255
private = Yes
ban = No
network = Yes
direct = Yes
[End]

[Notify]
PeerCast = Yes
Broadcasters = Yes
TrackInfo = Yes
[End]

[Server1]
allowHTML = Yes
allowBroadcast = Yes
allowNetwork = Yes
allowDirect = Yes
[End]

[Server2]
allowHTML = No
allowBroadcast = Yes
allowNetwork = No
allowDirect = No
[End]

[Debug]
logDebug = No
logErrors = No
logNetwork = No
logChannel = No
pauseLog = No
idleSleepTime = 10
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peercast.py
Type: text/x-python
Size: 435 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080429/1a11964b/attachment.py
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080429/1a11964b/attachment.pgp

On Tue, Apr 29, 2008 at 10:22:50PM +0200, Nico Golde
wrote:
> Package: peercast
> Severity: grave
> Tags: security
> X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
                ^^^^^^^^^^^^^^^^^^^

Hrm, is this really necessary?  I know I''m not actually doing anything
on
secure-testing-team at the moment, but I''m subscribed because
I''m interested
in tracking the status of testing security in aggregate... but if the list
is going to be used for tracking individual security holes (of which there
are surely many), it''s much less useful to me and I''ll
probably unsubscribe.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

Hi Steve,
* Steve Langasek <vorlon at debian.org> [2008-05-01
01:35]:
> On Tue, Apr 29, 2008 at 10:22:50PM +0200, Nico Golde wrote:
> > Package: peercast
> > Severity: grave
> > Tags: security
> > X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
> 
> Hrm, is this really necessary?  I know I''m not actually doing
anything on
> secure-testing-team at the moment, but I''m subscribed because
I''m interested
> in tracking the status of testing security in aggregate... but if the list
> is going to be used for tracking individual security holes (of which there
> are surely many), it''s much less useful to me and I''ll
probably unsubscribe.
Looks like this was a wishlist bug of reportbug-ng (which I used to report the
bug):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457690

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080501/2c5fcc1f/attachment.pgp