Monday, February 20, 2012

CVE-2011-4612 and icecast2

The vulnerability allows a person to modify whats written into a logfile by crafting a certain GET request to the icecast2 server. You can view the CVE details here and the bug details here.




The code involved is in the fserve_client_create function inside src/fserve.c.



412     fullpath = util_get_path_from_normalised_uri (filtered_path);
413     INFO2 ("checking for file %s (%s)", filtered_path, fullpath);
414     free(filtered_path);
415 
416     if (strcmp (util_get_extension (fullpath), "m3u") == 0)
417         m3u_requested = 1;
418 
419     if (strcmp (util_get_extension (fullpath), "xspf") == 0)
420         xspf_requested = 1;
421 
422     /* check for the actual file */
423     if (stat (fullpath, &file_buf) != 0)
424     {
425         /* the m3u can be generated, but send an m3u file if available */
426         if (m3u_requested == 0 && xspf_requested == 0)
427         {
428             WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno));
429             client_send_404 (httpclient, "The file you requested could not be found");
430             free (fullpath);


As this is a newline injection vuln, removing occurances of '\r', '\n' could solve the issue.


 25 +    int i;
 26 +    char *filtered_path;
 27 .
 28 -    fullpath = util_get_path_from_normalised_uri (path);
 29 -    INFO2 ("checking for file %s (%s)", path, fullpath);
 30 +    /* Remove occurances of '\r' and '\n', if any */
 31 +    filtered_path = (char *)malloc(strlen(path)+1);
 32 +    for(i=0; path[i]!='\0'; ++i) {
 33 +        if(path[i] == '\r' || path[i] == '\n') {
 34 +            filtered_path[i] = '\0';
 35 +            break;
 36 +        }
 37 +        else
 38 +            filtered_path[i] = path[i];
 39 +    } ; filtered_path[i] = '\0';
 40 +
 41 +    fullpath = util_get_path_from_normalised_uri (filtered_path);
 42 +    INFO2 ("checking for file %s (%s)", filtered_path, fullpath);
 43 +    free(filtered_path);




EDIT It was later decided that replacing '\r' and '\n' would be a much better option that truncating the strings, so a new patch has been uploaded.

No comments:

Post a Comment