[Icecast] Icecast exploits?

epirat07 at gmail.com epirat07 at gmail.com
Fri Nov 24 14:49:29 UTC 2023 

On 24 Nov 2023, at 15:37, Jack Elliott wrote:

> Thank you, Philipp. It was things like buffer overflow attacks once connected as a source that I was concerned about. It's reassuring to hear that Icecast server is not exploitable. The Best Practices you suggested are good ones, I'll discuss them with station management.
>

I don’t think you can assert with absolute confidence for any system that it cannot be exploited. (Except
maybe if its formally proven, but even then it would only affect that one component, not lower levels like
the kernel its running on and so on…)

The question in itself does not make much sense honestly, as it would imply knowing about exploits in Icecast,
but if we knew of any, of course we would have fixed them already.

Note that older versions of Icecast sometimes did have security relevant issues with
varying degrees of severity. Just like with any software. You can find a list here:

https://www.cvedetails.com/vulnerability-list/vendor_id-693/Icecast.html

> -- 
> Jack Elliott
> Director of Classical Music Programming
> High Desert Community Radio
> KPOV Bend, Oregon
>
> On 11/23/23 9:45 PM, Philipp Schafft wrote:
>> Good afternoon,
>>
>> On Thu, 2023-11-23 at 10:27 -0600, Jack Elliott wrote:
>>> [...]
>>> But I ask if there is any history of someone with the source password
>>> hacking into the server computer to do Bad Things?
>> There is no way to "hack into the server computer" using the source
>> password with only Icecast.
>>
>> What you can do using the source password is to... connect a source.
>> Generally if you cannot trust your sources avoid using the global
>> source password. Give everyone a personal username and password and
>> only allow that on the given mount point when they are allowed to
>> stream to it.
>>
>> At very least you should invalidate any credentials you gave someone
>> when that person leaves your team. ;)
>>
>>
>> With best regards,
>>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast

More information about the Icecast mailing list