Vulnerabilities > CVE-2004-1561 - Buffer Overflow vulnerability in Icecast Server HTTP Header

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
icecast
nessus
exploit available
metasploit
NVD
Published: 2004-12-31
Updated: 2017-07-11

Summary

Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.

Vulnerable Configurations

Part Description Count
Application
Icecast
2

Exploit-Db

  • descriptionIcecast <= 2.0.1 Win32 Remote Code Execution Exploit. CVE-2004-1561. Remote exploit for windows platform
    idEDB-ID:568
    last seen2016-01-31
    modified2004-10-06
    published2004-10-06
    reporterDelikon
    sourcehttps://www.exploit-db.com/download/568/
    titleIcecast <= 2.0.1 Win32 - Remote Code Execution Exploit
  • descriptionIcecast <= 2.0.1 Win32 Remote Code Execution Exploit (modded). CVE-2004-1561. Remote exploit for windows platform
    idEDB-ID:573
    last seen2016-01-31
    modified2004-10-12
    published2004-10-12
    reporterK-C0d3r
    sourcehttps://www.exploit-db.com/download/573/
    titleIcecast <= 2.0.1 Win32 - Remote Code Execution Exploit modded
  • descriptionIcecast (. CVE-2004-1561. Remote exploit for win32 platform
    idEDB-ID:16763
    last seen2016-02-02
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16763/
    titleIcecast <= 2.0.1 - Header Overwrite Win32

Metasploit

descriptionThis module exploits a buffer overflow in the header parsing of icecast versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32 HTTP headers will cause a write one past the end of a pointer array. On win32 this happens to overwrite the saved instruction pointer, and on linux (depending on compiler, etc) this seems to generally overwrite nothing crucial (read not exploitable). This exploit uses ExitThread(), this will leave icecast thinking the thread is still in use, and the thread counter won't be decremented. This means for each time your payload exits, the counter will be left incremented, and eventually the threadpool limit will be maxed. So you can multihit, but only till you fill the threadpool.
idMSF:EXPLOIT/WINDOWS/HTTP/ICECAST_HEADER
last seen2020-05-23
modified2017-07-24
published2005-12-26
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/icecast_header.rb
titleIcecast Header Overwrite

Nessus

NASL familyWeb Servers
NASL idICECAST_HTTP_HEADER_OVERFLOW.NASL
descriptionThe remote web server runs Icecast version 2.0.1 or older. Such versions are affected by an HTTP header buffer overflow vulnerability that may allow an attacker to execute arbitrary code on the remote host with the privileges of the Icecast server process. To exploit this flaw, an attacker needs to send 32 HTTP headers to the remote host to overwrite a return address on the stack.
last seen2020-06-01
modified2020-06-02
plugin id14843
published2004-09-28
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14843
titleIcecast HTTP Header Processing Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(14843);
 script_version ("1.24");
 script_cvs_date("Date: 2018/11/15 20:50:25");

 script_cve_id("CVE-2004-1561");
 script_bugtraq_id(11271);
 script_xref(name:"Secunia", value:"12666");
 
 script_name(english:"Icecast HTTP Header Processing Remote Overflow");
 script_summary(english:"Checks Icecast version");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"The remote web server runs Icecast version 2.0.1 or older.  Such
versions are affected by an HTTP header buffer overflow vulnerability
that may allow an attacker to execute arbitrary code on the remote
host with the privileges of the Icecast server process. 

To exploit this flaw, an attacker needs to send 32 HTTP headers to the
remote host to overwrite a return address on the stack." );
 script_set_attribute(attribute:"see_also", value:"http://aluigi.altervista.org/adv/iceexec-adv.txt" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Sep/396" );
 script_set_attribute(attribute:"see_also", value:"http://lists.xiph.org/pipermail/icecast/2004-September/007614.html" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Icecast 2.0.2 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Icecast Header Overwrite');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/28");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_MIXED_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
		
 script_family(english:"Web Servers");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 8000);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8000);

banner = get_http_banner(port:port);
if (report_paranoia < 2)
{
  if (!banner || "server: icecast/" >!< tolower(banner)) exit(0);
}

if ( safe_checks() )
{
  if ( ! banner ) exit(0);
  if(egrep(pattern:"^Server: icecast/2\.0\.[0-1][^0-9]", string:banner, icase:TRUE))
      security_hole(port);
}
else
{
  if (http_is_dead(port:port)) exit(1, "The web server on port "+port+" is dead");
  h = make_array();
  for (i = 0; i < 31; i ++) h["Header"+i] = "fooBar";
  w = http_send_recv3(method: "GET", item:"/", port: port, add_headers: h);
  if (http_is_dead(port:port)) security_hole(port);
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83162/icecast_header.rb.txt
idPACKETSTORM:83162
last seen2016-12-05
published2009-11-26
reporterLuigi Auriemma
sourcehttps://packetstormsecurity.com/files/83162/Icecast-2.0.1-Header-Overwrite.html
titleIcecast 2.0.1 Header Overwrite

References