Check Point Advisories

SHOUTcast Filename Format String - ver 2 (CVE-2004-1373)

Check Point Reference: CPAI-2016-0118
Date Published: 18 Oct 2009
Severity: High
Last Updated: 17 Feb 2016
Industry Reference:CVE-2004-1373
Protection Provided by:

Security Gateway
R80, R77, R76, R75

Who is Vulnerable?
Vulnerability Description SHOUTcast is a free distributed streaming audio system developed by Nullsoft. It is widely used by Internet-based radio stations. The SHOUTcast server implements a subset of the HTTP protocol to communicate with clients. A client-server session starts with the client requesting an audio stream from the server using a standard HTTP GET request. The server parses the request in order to retrieve the audio stream. While parsing the request, the server makes use of standard C formatted output functions.There exists a format string vulnerability in the SHOUTcast streaming server. A specially crafted filename in a URL passed to the vulnerable server can cause the server to read or write to invalid memory locations. An attacker can exploit this vulnerability to remotely execute code on a vulnerable target.In a simple attack case exploiting this vulnerability, the target SHOUTcast server will terminate causing a denial of service condition. The server must be restarted manually in order to restore the service.In the case of a more sophisticated attack, arbitrary code can be executed with the privileges of the account running SHOUTcast server. The behaviour of the target system will depend on the malicious code injected into the system.On all supported operating systems, the SHOUTcast server does not have a default user account. As such, the user account under which SHOUTcast is run would vary by site. Therefore, the privileges available to malicious code depends upon the user privileges of the owner of the vulnerable process.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75

  1. In the IPS tab, click Protections and find the SHOUTcast Filename Format String - ver 2 protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  Media Player Enforcement Violation
Attack Information:  SHOUTcast filename format string

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO