SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio system. Thousands of broadcasters around the world are waiting for you to tune in and listen. It is available for multiple platforms, including Linux and MS Windows. According to the statistics on the webpage, there are more than 10.000 servers running this technology. More information can be found at www.shoutcast.com
Shoutcast server 1.9.5 (the latest available version) is vulnerable, older version weren't tested but they are most likely also vulnerable. Moreover, as the older versions had their own known bugs (as can be seen from the version history of the product), it seems reasonable to assume that they make up just a tiny fraction of the installed servers.
Impact of the vulnerability depends on the way the product was installed. In general, the vulnerability allows the attacker to read any file which can be read by the Shoutcast server process.
Although most installation guides for Shoutcast for Linux recommend
running it under non-privileged user, there is a notable exception -- Gentoo
Linux -- where the Shoutcast server (media-sound/shoutcast-server-bin
package) runs by default with root privileges (unless the user explicitly
modifies the way it is executed). Thus, on Gentoo Linux, the attacker gets
read access to (almost) any sensitive piece of information, including
/etc/shadow
, sources of PHP scripts, *SQL tables, logs, ...
Microsoft Windows users are affected as well, although it seems that only files on the same logical drive can be accessed using this vulnerability.
The Shoutcast server listens for requests on port 8000 (default; can be
set by "PortBase" in the configuration file). The syntax of the requests is
similar to HTTP GET requests (e.g. "GET /path
"). If the
requested path begins with "/content
", the request is
considered to be a request for so-called "on-demand" content -- i.e. the
client wants to listen to a specific file, usually an MP3 file stored on the
server.
The parsing code for this type of request performs two tasks:
It ensures that the path doesn't contain any dangerous constructs, like
double-dot, backslash or colon. It also checks if the requested filename
ends with .mp3
suffix.
It also translates the characters represented as %XX
;
standard URL encoding.
The problem is that these two operations are performed in wrong order... As a consequence, it is possible to evade BOTH the filtering of forbidden characters AND the required suffix.
Example request can be obtained by:
echo -e "GET /content/%2E./.%2E/%2E%2E/etc/passwd%00.mp3\n"
(for Gentoo Linux, three dot-dot's usually suffice, as Shoutcast is by
default installed in /opt/shoutcast
).
Run the server by an user with limited privileges and/or in chroot jail.
Detection for the exploit is semi-straightforward, one has to look for
"GET
" in the first line, followed by "/content
",
translate the %XX
sequences into characters and scan the
resulting string for usual directory-traversal sequences. Depending on the
used IDS, this might be easy or tricky.
The authors provided updated version of Shoucast server (1.9.6), which shouldn't be vulnerable to the issue described above. Unfortunately, it IS vulnerable to a slightly modified attack. Version 1.9.7 is safe from both the original and the modified attacks.
2006-06-??: Looking (without success) for security contact at Nullsoft.
2006-06-13: Gentoo security team contacted.
2006-06-14: Gentoo security team responded.
2006-06-??: Contact at Nullsoft found and notified.
2006-06-19: Nullsoft released updated version (1.9.6) for Windows.
2006-06-22: Nullsoft released updated version (1.9.6) for other platforms.
2006-06-22: The fix has been found to be flawed, vendor notified again.
2006-06-23: Nullsoft released updated version (1.9.7), vulnerability gone.
2006-07-09: Gentoo issued GLSA and updated packaged for the vulnerability.