[Icecast] Icecast exploits?

Jack Elliott that.jack.elliott at gmail.com
Fri Nov 24 15:06:34 UTC 2023 

Thank you Marvin.

I was aware of the internal contradiction of my question but couldn't 
think of a better way to ask whether we were aware if a source 
password-equipped Bad Actor could do harm.

Thank you for the link describing the security vulnerabilities of 
Icecast. We're running 2.4.0 and that looks pretty solid.

-- 
Jack Elliott
Director of Classical Music Programming
High Desert Community Radio
KPOV Bend, Oregon

On 11/24/23 8:49 AM, epirat07 at gmail.com wrote:
> On 24 Nov 2023, at 15:37, Jack Elliott wrote:
>
>> Thank you, Philipp. It was things like buffer overflow attacks once connected as a source that I was concerned about. It's reassuring to hear that Icecast server is not exploitable. The Best Practices you suggested are good ones, I'll discuss them with station management.
>>
> I don’t think you can assert with absolute confidence for any system that it cannot be exploited. (Except
> maybe if its formally proven, but even then it would only affect that one component, not lower levels like
> the kernel its running on and so on…)
>
> The question in itself does not make much sense honestly, as it would imply knowing about exploits in Icecast,
> but if we knew of any, of course we would have fixed them already.
>
> Note that older versions of Icecast sometimes did have security relevant issues with
> varying degrees of severity. Just like with any software. You can find a list here:
>
> https://www.cvedetails.com/vulnerability-list/vendor_id-693/Icecast.html
>
>> -- 
>> Jack Elliott
>> Director of Classical Music Programming
>> High Desert Community Radio
>> KPOV Bend, Oregon
>>
>> On 11/23/23 9:45 PM, Philipp Schafft wrote:
>>> Good afternoon,
>>>
>>> On Thu, 2023-11-23 at 10:27 -0600, Jack Elliott wrote:
>>>> [...]
>>>> But I ask if there is any history of someone with the source password
>>>> hacking into the server computer to do Bad Things?
>>> There is no way to "hack into the server computer" using the source
>>> password with only Icecast.
>>>
>>> What you can do using the source password is to... connect a source.
>>> Generally if you cannot trust your sources avoid using the global
>>> source password. Give everyone a personal username and password and
>>> only allow that on the given mount point when they are allowed to
>>> stream to it.
>>>
>>> At very least you should invalidate any credentials you gave someone
>>> when that person leaves your team. ;)
>>>
>>>
>>> With best regards,
>>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast

More information about the Icecast mailing list