Vulnerabilities > CVE-2004-1373 - Unspecified vulnerability in Nullsoft Shoutcast Server 1.9.4
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
description SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow. CVE-2004-1373. Remote exploit for win32 platform id EDB-ID:16751 last seen 2016-02-02 modified 2010-04-30 published 2010-04-30 reporter metasploit source https://www.exploit-db.com/download/16751/ title SHOUTcast DNAS/Win32 1.9.4 File Request Format String Overflow description SHOUTcast 1.9.4 File Request Format String Remote Exploit (win). CVE-2004-1373. Remote exploit for windows platform id EDB-ID:830 last seen 2016-01-31 modified 2005-02-19 published 2005-02-19 reporter mandragore source https://www.exploit-db.com/download/830/ title SHOUTcast 1.9.4 File Request Format String Remote Exploit win description SHOUTcast DNAS/Linux 1.9.4 Format String Remote Exploit. CVE-2004-1373. Remote exploit for linux platform id EDB-ID:712 last seen 2016-01-31 modified 2004-12-23 published 2004-12-23 reporter pucik source https://www.exploit-db.com/download/712/ title SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Exploit
Metasploit
| description | This module exploits a format string vulnerability in the Nullsoft SHOUTcast server for Windows. The vulnerability is triggered by requesting a file path that contains format string specifiers. This vulnerability was discovered by Tomasz Trojanowski and Damian Put. |
| id | MSF:EXPLOIT/WINDOWS/HTTP/SHOUTCAST_FORMAT |
| last seen | 2020-01-14 |
| modified | 2017-07-24 |
| published | 2005-12-26 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1373 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/shoutcast_format.rb |
| title | SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-04.NASL description The remote host is affected by the vulnerability described in GLSA-200501-04 (Shoutcast Server: Remote code execution) Part of the Shoutcast Server Linux binary has been found to improperly handle sprintf() parsing. Impact : A malicious attacker could send a formatted URL request to the Shoutcast Server. This formatted URL would cause either the server process to crash, or the execution of arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16395 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16395 title GLSA-200501-04 : Shoutcast Server: Remote code execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200501-04. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(16395); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2004-1373"); script_xref(name:"GLSA", value:"200501-04"); script_name(english:"GLSA-200501-04 : Shoutcast Server: Remote code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200501-04 (Shoutcast Server: Remote code execution) Part of the Shoutcast Server Linux binary has been found to improperly handle sprintf() parsing. Impact : A malicious attacker could send a formatted URL request to the Shoutcast Server. This formatted URL would cause either the server process to crash, or the execution of arbitrary code. Workaround : There is no known workaround at this time." ); # http://www.securityfocus.com/archive/1/385350 script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/385350" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200501-04" ); script_set_attribute( attribute:"solution", value: "All Shoutcast Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-sound/shoutcast-server-bin-1.9.5'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:shoutcast-server-bin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-sound/shoutcast-server-bin", unaffected:make_list("ge 1.9.5"), vulnerable:make_list("le 1.9.4-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Shoutcast Server"); }NASL family CGI abuses NASL id SHOUTCAST_FMT_STRING.NASL description According to its banner, the version of SHOUTcast Server installed on the remote host is earlier than 1.9.5. Such versions fail to validate requests containing format string specifiers before using them in a call to last seen 2020-06-01 modified 2020-06-02 plugin id 16064 published 2004-12-28 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16064 title SHOUTcast Server Filename Handling Format String code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(16064); script_version("1.20"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2004-1373"); script_bugtraq_id(12096); script_name(english:"SHOUTcast Server Filename Handling Format String"); script_summary(english:"SHOUTcast version check"); script_set_attribute(attribute:"synopsis", value: "The remote streaming audio server is vulnerable to a format string attack."); script_set_attribute(attribute:"description", value: "According to its banner, the version of SHOUTcast Server installed on the remote host is earlier than 1.9.5. Such versions fail to validate requests containing format string specifiers before using them in a call to 'sprintf()'. An unauthenticated, remote attacker may be able to exploit this issue to execute arbitrary code on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Dec/363"); script_set_attribute(attribute:"solution", value:"Upgrade to SHOUTcast 1.9.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"metasploit_name", value:'SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/28"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nullsoft:shoutcast_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"CGI abuses"); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 8000); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); req = 'GET /content/' + rand_str(length:10) + '.mp3 HTTP/1.0\r\n\r\n'; port = get_http_port(default: 8000); w = http_send_recv_buf(port:port, data:req); if (isnull(w)) exit(1, "The web server on port "+port+" did not answer"); banner = strcat(w[0], w[1], '\r\n', w[2]); if (egrep(pattern:"SHOUTcast Distributed Network Audio Server.*v(0\.|1\.[0-8]\.|1\.9\.[0-4][^0-9])", string:banner) ) { security_hole(port); exit(0); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83218/shoutcast_format.rb.txt |
| id | PACKETSTORM:83218 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | MC |
| source | https://packetstormsecurity.com/files/83218/SHOUTcast-DNAS-win32-1.9.4-File-Request-Format-String-Overflow.html |
| title | SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow |
Saint
| bid | 12096 |
| description | SHOUTcast filename format string vulnerability |
| id | misc_shoutcast,misc_shoutcastx |
| osvdb | 12585 |
| title | shoutcast_filename_format_string |
| type | remote |