Bugtraq mailing list archives

Winamp SHOUTcast server: Gain Administrator Password

From: arrow () DAHPHISH ORG (Michael)
Date: Fri, 20 Aug 1999 02:19:39 -0700


Greetings Bugtraq, this is my first posting of an advisory, so go easy on me =)

I was recently setting up a Nullsoft SHOUTcast server to relay some
content when I noticed the Administrator password is stored plain text in
the configuration file (./sc_serv.conf by default).

The password is also LOGGED when the web based administration tool is
used. It can be obtained by simply grep'ing the logfile output. The
offending line is here:
<08/20/<08/20/99@06:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 
(compatible; MSIE 5.0; Windows 98))

Obtaining the Administrator password allows administration via the web
based system, as well has hijacking the content stream going out to
listeners.

Quick fix would be simply chmod the log and config files to prevent world
reading. Nullsoft should of course parse there log output for sensitive
data, and possibly look into UNIX crypt() for its passwords.

    -arr0w

---
Mike Damm       http://www.dahphish.org/~arrow/
arrow () nakedhackers net     arrow () alphalinux org
Sometimes I think windows calls DevideByZero();

Current thread:

Re: Internet Auditing Project, (continued)
- Re: Internet Auditing Project David Luyer (Aug 15)
  - Re: Internet Auditing Project Peter J. Holzer (Aug 17)
  - [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
    - [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
    - Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
    - Winamp SHOUTcast server: Gain Administrator Password Michael (Aug 20)
    - Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 21)
    - IE 5.0 allows executing programs Georgi Guninski (Aug 21)
    - Re: IE 5.0 allows executing programs David LeBlanc (Aug 23)
    - Re: IE 5.0 allows executing programs Jesper M. Johansson (Aug 28)
    - Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 21)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? Bob Todd (Aug 24)
    - Re: Vulnerability in Solaris 2.6. rpc.statd ? mb (Aug 28)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Martin Schulze (Aug 19)
    - Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Aaron Campbell (Aug 19)
    - Microsoft Security Bulletin (MS99-030) Aleph One (Aug 20)

(Thread continues...)