COMMAND

    WinAMP

SYSTEMS AFFECTED

    Shoutcast Server

PROBLEM

    Kevin Wetzel posted following.  The following information is being
    released by  PA Networks  to expose  a potential  problem with the
    Shoutcast  server   for  Linux   version  v1.7.1   for   Shoutcast
    Distributed Network Audio Server.   During testing of new  streams
    the following was discovered.

    Software needed to perform this overflow:

        Winamp (Any Version)
        DSP Plugin for Audio Streaming
        Microsoft Netshow Tools (Audio MP3 Codecs Only)
        Shoutcast Server for Linux v1.7.1

    Normally  the  Winamp  client  uses  the  DSP plugin to encode MP3
    files and send  a single stream  to a DNAS  Server (Shoutcast) for
    distribution  to  listeners.    By  entering   a  string  in   the
    description  past  the  visible  field  the  server  will overflow
    causing the shoutcast server to  crash.  This has been  tested and
    verified on the Linux version only so we do not know if the  Win32
    version of DNAS is also affected.

    The Linux server crashed with an "Error A" message and the  server
    must be restarted.

    It is possible to crash a  server only when the server is  running
    and  no  connection  are  active  on  the  server.  Once an active
    connection from a  Winamp player is  established the condition  is
    not exploitable.  So you would have to catch a server in a "Sleep"
    state meaning that  it would be  running but nothing  is currently
    being broadcast.

SOLUTION

    Nothing yet.