AnalogX SimpleServer:Shout Streaming Audio Server Buffer Overflow May Give Remote Users System Level Access on the Server
|
|
SecurityTracker Alert ID: 1004645 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 27 2002
|
Impact: Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Foundstone
|
Version(s): 1.0
|
Description: A buffer overflow vulnerability was reported in AnalogX's SimpleServer:Shout streaming audio server. A remote user could execute arbitrary code on the system.
Foundstone reported that a remote user can send a specially crafted packet to the server to cause the server to crash or cause arbitrary
code to be executed on the server with the privileges of the daemon (typically System privileges).
A remote user can send a request
to the target host on TCP port 8001 that contains 348 or more non-space characters followed by 2 carriage return linefeeds to trigger
the buffer overflow and cause a write access violation in the application. If multiple requests are sent, the server will stop
responding to the request.
|
Impact: A remote user can cause the system to crash or possibly cause arbitrary code to be run on the server with System level privileges.
|
Solution: The vendor has reportedly released a fixed version (1.02), available at:
http://www.analogx.com/files/ssshouti.exe
|
Vendor URL: www.analogx.com/contents/download/network/ssshout.htm (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: Dave Ahmad <da@securityfocus.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 26 Jun 2002 15:15:48 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
Subject: Foundstone Advisory - Buffer Overflow in AnalogX SimpleServer:Shout
|
Dave Ahmad
SecurityFocus
www.securityfocus.com
---------- Forwarded message ----------
Return-Path: <labs@foundstone.com>
Delivered-To: da@securityfocus.com
Received: (qmail 7641 invoked from network); 26 Jun 2002 21:07:49 -0000
Received: from unknown (HELO mission.foundstone.com) (66.192.0.2)
by mail.securityfocus.com with SMTP; 26 Jun 2002 21:07:49 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Foundstone Advisory - Buffer Overflow in AnalogX SimpleServer:Shout
Date: Wed, 26 Jun 2002 14:12:35 -0700
Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47556@MISSION.foundstone.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX
SimpleServer:Shout
Thread-Index: AcIcmwywcmq21NfgTGGmQti1qTYfMAAux8jA
From: "Foundstone Labs" <labs@foundstone.com>
To: <da@securityfocus.com>
----------------------------------------------------------------------
FS Advisory ID: FS-062502-22-AXSH
Release Date: June 25, 2002
Product: AnalogX SimpleServer:Shout
Vendor: AnalogX (http://www.analogx.com)
Vendor Advisory: See vendor web site
Type: Buffer Overflow
Severity: High
Author: Robin Keir (robin.keir@foundstone.com)
Foundstone, Inc.
(http://www.foundstone.com)
Operating Systems: Windows variants
Vulnerable versions: SimpleServer:Shout v1.0
Foundstone Advisory: http://www.foundstone.com/advisories.htm
---------------------------------------------------------------------
Description
A buffer overflow exists in AnalogX's SimpleServer:Shout software.
Exploitation of this vulnerability allows remote execution of arbitrary
code with the privileges of the Shout daemon (default is SYSTEM).
Details
Sending a fake request to the target system on TCP port 8001 consisting
of a packet of 348 or more non-space characters followed by 2 carriage
return linefeeds causes a write access violation in the application.
Manually dismissing the application error message box that is displayed
on the affected system at this point will terminate the process. If the
message box is not manually dismissed,, repeated sending of the request
causes repeated access violation message boxes to appear on the affected
system to the point where the service no longer responds.
Different number of bytes sent cause different error conditions to
occur, such as write access violations and Watcom memory error dialogs
to appear.
Solution:
Refer to the vendor's web site for further details:
http://www.analogx.com
Credits:
Foundstone would like to thank AnalogX for their prompt response and
handling of this problem.
Disclaimer:
The information contained in this advisory is copyright (c) 2002
Foundstone, Inc. and is believed to be accurate at the time of
publishing, but no representation of any warranty is given, express, or
implied as to its accuracy or completeness. In no event shall the author
or Foundstone be liable for any direct, indirect, incidental, special,
exemplary or consequential damages resulting from the use or misuse of
this information. This advisory may be redistributed, provided that no
fee is assigned and that the advisory is not modified in any way.
|
|
