PeerCast procConnectArgs() Function URL Handling Remote Overflow

2006-03-1000:00:00

www.tenable.com

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.963 High

EPSS

Percentile

99.6%

JSON

The version of PeerCast installed on the remote host copies the supplied option string without limit into a finite-size buffer. An unauthenticated attacker can leverage this issue to crash the affected application and possibly to execute arbitrary code on the remote host subject to the privileges of the user running PeerCast.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(21041);
  script_version("1.20");

  script_cve_id("CVE-2006-1148");
  script_bugtraq_id(17040);

  script_name(english:"PeerCast procConnectArgs() Function URL Handling Remote Overflow");
  script_summary(english:"Checks version of PeerCast web server");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server suffers from a buffer overflow vulnerability." );
 script_set_attribute(attribute:"description", value:
"The version of PeerCast installed on the remote host copies the
supplied option string without limit into a finite-size buffer.  An
unauthenticated attacker can leverage this issue to crash the affected
application and possibly to execute arbitrary code on the remote host
subject to the privileges of the user running PeerCast." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/427160/30/0/threaded" );
 # http://web.archive.org/web/20070713004957/http://www.peercast.org/forum/viewtopic.php?t=3346
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ed1ade41" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to PeerCast version 0.1217 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'PeerCast URL Handling Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/03/10");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/03/09");
 script_cvs_date("Date: 2018/11/15 20:50:24");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Peer-To-Peer File Sharing");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("peercast_installed.nasl");
  script_require_keys("PeerCast/installed");
  script_require_ports("Services/www", 7144);

  exit(0);
}


if (!get_kb_item("PeerCast/installed")) exit(0);

include("global_settings.inc");

list = get_kb_list("PeerCast/*/version");
if (isnull(list)) exit(0);

foreach key (keys(list))
{
  port = key - "PeerCast/" - "/version";
  ver = list[key];

  if (get_port_state(port))
  {
    # Check the version.
    vuln = FALSE;

    if (ver =~ "^[0-9]\.[0-9]+$")
    {
      iver = split(ver, sep:'.', keep:FALSE);
      for (i=0; i<max_index(iver); i++)
        iver[i] = int(iver[i]);

      if (iver[0] == 0 && iver[1] < 1218) vuln = TRUE;
    }
    else if (report_paranoia > 1) vuln = TRUE;

    if (vuln)
    {
     report = string(
        "According to its Server response header, the version of PeerCast on the\n",
        "remote host is :\n",
        "\n",
        "  ", ver, "\n"
      );
      security_hole(port:port, extra:report);
      break;
    }
  }
}