[icecast] Full analysis of the remotely exploitable icecast 1.3.x bugs

dizznutt at my.security.nl dizznutt at my.security.nl
Sat Apr 6 02:24:38 PST 2002


Hello Icecast folks,

Attached is an analysis I slapped together detailing the exact specifics 
of the bug that is exploited with the icecast exploit I disclosed earlier 
this week. Furthermore it details another remotely exploitable bug. I sent 
this to team at icecast.org and to Jack Moffit, but have not received a response 
as of yet. So if people, like I noticed in the icecast at xiph.org list, are 
weary off applying the temporary greater than 8000 bytes string check patch 
to client.c (which makes sure you have a 192 byte buffer left for your server 
hostname and stream port..and would thus catch pretty much all possible 
attacks using said bugs) They can have a look at this analysis and apply 
temporary fixes themselfs. Untill the Icecast dev team sees it fit to release 
official patches. 

Oh and in response to the "I know how to get passwords on a default install". 
Isn't that just doable by going to http://example.icecast.server:8000/admin 
right after a default install?

If this list does not allow attachments you can also find said analysis 
at:

http://online.securityfocus.com/archive/1/265719

Oh and if people want to test their local systems against this bug..you 
can aquire the exploit at:
(it should be noted that this version of the exploit is just meant for linux 
x86 targets. This does not mean this bug is not exploitable on other platforms)

http://www.packetstormsecurity.nl/filedesc/icx.c.html

<p>ltr,
diz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: icecast.txt
Type: application/octet-stream
Size: 4808 bytes
Desc: icecast.txt
Url : http://lists.xiph.org/pipermail/icecast/attachments/20020406/885b462f/icecast.obj


More information about the Icecast mailing list