SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Multimedia)  >   Icecast Vendors:   Icecast.org
Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely
SecurityTracker Alert ID:  1001838
SecurityTracker URL:  http://securitytracker.com/id/1001838
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 26 2001
Impact:   Denial of service via network, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.3.7 for Windows
Description:   Two vulnerabilities have been reported in the Windows version of Icecast. The vulnerabilities allow remote users to cause the service to crash and allow remote users to obtain MP3 files located outside of the main Web catalog directory.

If the Icecast server has the http-server file streaming support enabled (which is not the default configuration), a remote user can reportedly cause the Icecast application to crash by adding an extra "/" or "\" to the end of the requested MP3 filename. The following format will trigger the vulnerability:

"http://[targethost]:8000/file/test.mp3/"

A remote user can can also retrieve MP3 files that reside outside of the Web catalog directory by using encoded characters in the MP3 request. A remote user can replace ascii-values for each ".", thus using "/%25%25/" instead of "/../" will up the directory tree. The following format will trigger the vulnerability (if test1.mp3 is located in the appropriate directory:

"http://[targethost]:8000/file/%2E%2E/test1.mp3
Impact:   A remote user can cause the Icecast server application to crash and can retrieve MP3 files from the drive the the server is installed on.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.icecast.org/ (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely   (Wichert Akkerman <wichert@wiggy.net>)
Debian has released a fix.
(Debian Issues Revised Fix) Icecast Audio Broadcasting Server Discloses MP3 Files Located Anywhere on the Installed Drive to Remote Users and Can Be Crashed Remotely   (Wichert Akkerman <wichert@wiggy.net>)
The vendor has released a revised fix (the original Debian fix will not run on Debian GNU/Linux potato machines).


 Source Message Contents
Date:  Tue, 26 Jun 2001 11:14:04 -0400
Subject:  Advisory


--==IMail_v5.0==
Content-Type: text/plain; charset=us-ascii

Hello!
------
Attached is our latest advisory.

GoLLuM.no, Digit-Labs.







_________________________________________________________
Get your own FREE evilemail.com Email account at...
http://www.evilemail.com

EvilEmail.com - Free email for the living and the dead.
_________________________________________________________



--==IMail_v5.0==
Content-Type: text/plain; name="Security-issues with Icecast Version 1.3.7.txt"
Content-Transfer-Encoding: binary

** Digit-Labs Security Advisory (http://www.digit-labs.org/) **


Advisory Name: Security-issues with Icecast Version 1.3.7
Release Date: 
Application: Tested on Icecast Version 1.3.7
Platform: Windows 2000 Prof
Severity: Medium
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Unknown


Executive Summary:
Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the Window version has been tested. Icecast allows for remote
 administration and client access by a web-interface. Icecast is used mainly by radio-stations to broadcast audio on the internet.
 Icecast does not need a presence of any particular web-server, it handles all http-requests by itself. 

I have discovered the following:
	- remote DoS attack,
	- folder traversal exploit.


Detailed Description:

* Remote DoS attack *
If the server has enabled the http-server file streaming support, a malicious client can perform a DoS remeotly. Http-server file
 streaming support is not enabled by default, but is enabled by altering variable "staticdir" in the configuration-file "icecast.conf".
 The DoS causes an "Application Error" in Windows, thus crashing the Icecast-server completely. The DoS is caused by adding an extra
 "/" or "\" behind the requested mp3-file.

* Folder traversal exploit *
Mp3-files residing outside the Web catalog can be accessed by replacing ascii-values for each ".", thus using "/%25%25/" instead of
 "/../" will walk one folder downward.


Proof-of-consept:

* Remote DoS attack *
Complete the following steps to recreate the DoS
	1. Start your Icecast-server
	2. Place a mp3-file named "test.mp3" in the directory you specified in the variable "staticdir"
	3. Open a web-browser and type "http://www.someserver.zom:8000/file/test.mp3/"
 
* Folder traversal exploit *
Place a mp3-file named "test1.mp3" in the directory below the one you specified in the variable "staticdir".
Then write the following in your browser:
	http://localhost:8000/file/../test1.mp3 - Will fail in getting the file
	http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file


Links:
	-http://www.icecast.org/



--==IMail_v5.0==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC