Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against SHOUTcast Format String Vulnerability

Subscribe

Check Point Reference: CPAI-2006-029
Date Published:
Severity:
Last Updated:
Source: FrSirt
Industry Reference(s): CAN-2004-1373
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
SHOUTcast version 1.9.4 on Linux and possibly earlier versions
Vulnerability Description
SHOUTcast is Nullsoft's streaming audio system for Linux and Microsoft Windows platforms. A format string vulnerability was reported in SHOUTcast.  A malicious attacker with the ability to send a formatted URL request to the SHOUTcast server may be able to execute arbitrary code on the target system or cause the server to crash.
Vulnerability Status
See FrSIRT at http://www.frsirt.com/exploits/20060128.shoutcast_expl.c.php.  
Update/Patch Available
The issue has been addressed in version 1.9.5. Upgrade to the latest version of SHOUTcast (1.9.5 or later), available from the SHOUTcast Web site at http://www.shoutcast.com/download/files.phtml.
Vulnerability Details
Remote exploitation of a format string vulnerability could allow server crash or execution of arbitrary code. A format string is way of telling the C compiler how it should format numbers when it prints them. A number of functions accept a format string as an argument including fprintf. sprintf, syslog and others. A remote attacker could include a crafted request within the sprintf () function to crash the server of cause it to execute arbitrary code.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update also includes the following protections:

  • Enhancement to the Microsoft Windows Media Player Vulnerability (CPAI-2006-016)
  • Trojan Spy Goldun.de Protection (CPAI-2006-025)
  • ezDatabase Remote File Inclusion Protection (CPAI-2006-026)
  • TFTPD32 Request Error Message Format String Protection (CPAI-2006-027) - InterSpect NGX only
  • Cisco IOS CDP Status Page Code Injection Protection (CPAI-2006-028)
  • SHOUTcast Filename Request Format String Protection (CPAI-2006-029)
  • Oracle Report File Overwrite/Oracle Report Directory Traversal Protection (CPAI-2006-030)
  • Google Talk via Gmail Web Interface Protection (CPSA-2006-02)
  • IBM Tivoli Access Manager Directory Traversal Protection (CPAI-2006-031)
  • Protection Against NFS Vulnerabilities (CPAI-2006-032)
  • Protection against PmWiki multiple vulnerabilities

VPN-1 NGX R61

How Can I Protect My Network?

1. Update your SmartDefense: Click the SmartDefense Services tab, In the left pane from the drop-down list, click Download Updates and then click the Online Update button.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following patterns:

SHOUTcast  Filename Request Format String

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: SHOUTcast  Filename Request Format String

VPN-1 NGX R60 / VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

SHOUTcast  Filename Request Format String

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: SHOUTcast Filename Request Format String

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. Update your SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
3. Enable the following pattern:

SHOUTcast  Filename Request Format String

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: SHOUTcast Filename Request Format String

InterSpect NGX

How Can I Protect My Network?
1. Update your SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
3. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
4. Enable the following pattern:

SHOUTcast  Filename Request Format String

5. Install policy on all modules. 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: SHOUTcast Filename Request Format String

InterSpect 2.0

How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Malicious Code > General HTTP Worm Defender.
3. Enable the following pattern:

SHOUTcast  Filename Request Format String

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: SHOUTcast Filename Request Format String