Home page logo

bugtraq logo Bugtraq mailing list archives

From: "gollum" <gollum () evilemail com>
Date: Tue, 26 Jun 2001 11:14:04 -0400

Attached is our latest advisory.

GoLLuM.no, Digit-Labs.

Get your own FREE evilemail.com Email account at...

EvilEmail.com - Free email for the living and the dead.

** Digit-Labs Security Advisory (http://www.digit-labs.org/) **

Advisory Name: Security-issues with Icecast Version 1.3.7
Release Date: 
Application: Tested on Icecast Version 1.3.7
Platform: Windows 2000 Prof
Severity: Medium
Author(s): GoLLuM.no [mailto:gollum () digit-labs org]
Vendor Status: Unknown

Executive Summary:
Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the Window version has been tested. Icecast 
allows for remote administration and client access by a web-interface. Icecast is used mainly by radio-stations to 
broadcast audio on the internet. Icecast does not need a presence of any particular web-server, it handles all 
http-requests by itself. 

I have discovered the following:
        - remote DoS attack,
        - folder traversal exploit.

Detailed Description:

* Remote DoS attack *
If the server has enabled the http-server file streaming support, a malicious client can perform a DoS remeotly. 
Http-server file streaming support is not enabled by default, but is enabled by altering variable "staticdir" in the 
configuration-file "icecast.conf". The DoS causes an "Application Error" in Windows, thus crashing the Icecast-server 
completely. The DoS is caused by adding an extra "/" or "\" behind the requested mp3-file.

* Folder traversal exploit *
Mp3-files residing outside the Web catalog can be accessed by replacing ascii-values for each ".", thus using 
"/%25%25/" instead of "/../" will walk one folder downward.


* Remote DoS attack *
Complete the following steps to recreate the DoS
        1. Start your Icecast-server
        2. Place a mp3-file named "test.mp3" in the directory you specified in the variable "staticdir"
        3. Open a web-browser and type "http://www.someserver.zom:8000/file/test.mp3/";
* Folder traversal exploit *
Place a mp3-file named "test1.mp3" in the directory below the one you specified in the variable "staticdir".
Then write the following in your browser:
        http://localhost:8000/file/../test1.mp3 - Will fail in getting the file
        http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file


  By Date           By Thread  

Current thread:
  • Advisory gollum (Jun 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]