Digit-Labs Security Advisory (http://www.digit-labs.org/)
Advisory Name: Security-issues with Icecast Version 1.3.7
Release Date:
Application: Tested on Icecast Version 1.3.7
Platform: Windows 2000 Prof
Severity: Medium
Author(s): GoLLuM.no [mailto:[email protected]]
Vendor Status: Unknown
Executive Summary:
Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the
Window version has been tested. Icecast allows for remote administration
and client access by a web-interface. Icecast is used mainly by
radio-stations to broadcast audio on the internet. Icecast does not need a
presence of any particular web-server, it handles all http-requests by
itself.
I have discovered the following:
- remote DoS attack,
- folder traversal exploit.
Detailed Description:
Remote DoS attack *
If the server has enabled the http-server file streaming support, a
malicious client can perform a DoS remeotly. Http-server file streaming
support is not enabled by default, but is enabled by altering variable
"staticdir" in the configuration-file "icecast.conf". The DoS causes an
"Application Error" in Windows, thus crashing the Icecast-server
completely. The DoS is caused by adding an extra "/" or "\" behind the
requested mp3-file.
Folder traversal exploit *
Mp3-files residing outside the Web catalog can be accessed by replacing
ascii-values for each ".", thus using "/%25%25/" instead of "/…/" will
walk one folder downward.
Proof-of-consept:
Remote DoS attack *
Complete the following steps to recreate the DoS
1. Start your Icecast-server
2. Place a mp3-file named "test.mp3" in the directory you
specified in the variable "staticdir"
3. Open a web-browser and type
"http://www.someserver.zom:8000/file/test.mp3/"
Folder traversal exploit *
Place a mp3-file named "test1.mp3" in the directory below the one you
specified in the variable "staticdir".
Then write the following in your browser:
http://localhost:8000/file/../test1.mp3 - Will fail in getting the
file
http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in
getting the file
Links:
-http://www.icecast.org/