COMMAND
Icecast
SYSTEMS AFFECTED
Icecast v1.3.7
PROBLEM
"gollum" found following. Icecast is an audio-streaming server
for Unix and Windows(C)(TM). Only the Window version has been
tested. Icecast allows for remote administration and client
access by a web-interface. Icecast is used mainly by
radio-stations to broadcast audio on the in ternet. Icecast does
not need a presence of any particular web-server, it handles all
http-requests by itself.
"gollum" discovered the following:
- remote DoS attack,
- folder traversal exploit.
* Remote DoS attack *
=====================
If the server has enabled the http-server file streaming support,
a malicious client can perform a DoS remeotly. Http-server file
streaming support is not enabled by default, but is enabled by
altering variable "staticdir" in the configuration-file
"icecast.conf". The DoS causes an "Application Error" in Windows,
thus crashing the Icecast-server completely. The DoS is caused by
adding an extra "/" or "\" behind the requested mp3-file.
Complete the following steps to recreate the DoS:
1. Start your Icecast-server
2. Place a mp3-file named "test.mp3" in the directory you
specified in the variable "staticdir"
3. Open a web-browser and type
http://www.someserver.zom:8000/file/test.mp3/
* Folder traversal exploit *
============================
Mp3-files residing outside the Web catalog can be accessed by
replacing ascii-values for each ".", thus using "/%25%25/"
instead of "/../" will walk one folder downward.
Place a mp3-file named "test1.mp3" in the directory below the one
you specified in the variable "staticdir". Then write the
following in your browser:
http://localhost:8000/file/../test1.mp3 - Will fail in getting the file
http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file
SOLUTION
Nothing yet.