SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Icecast Vendors:   Icecast.org
Additional Bugs Found (Re: Icecast Streaming Audio Server Can Execute Arbitrary Code)
SecurityTracker Alert ID:  1001093
SecurityTracker URL:  http://securitytracker.com/id/1001093
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2001
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All versions prior to Icecast 1.3.9 and Libshout 1.0.4
Description:   Several vulnerabilities have been reported in Icecast, a streaming audio package, in which a remote user can cause Icecast to execute arbitrary code on the Icecast host.

Some additional potential buffer overflow vulnerabilities were identified.

The Icecast team has released version 1.3.10 to fix these newly reported problems.

Note that, for clarification, the previous version of Icecast 1.3.9 fixed several buffer overflow vulnerabilities as well as an older format string vulnerability.

Impact:   An attacker can cause arbitrary code to be executed on the Icecast server with the privileges of the Icecast program.
Solution:   Patched versions of these packages are available from the vendor.
Vendor URL:  www.icecast.org (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 15 2001 Icecast Streaming Audio Server Can Execute Arbitrary Code



 Source Message Contents

Subject:  More Icecast remote vulnerabilities


Following the announcement yesterday about buffer overflow
vulnerabilities in Icecast, Andreas Hasenack
<andreas@conectiva.com.br> identified several more likely buffer
overflow vulnerabilities.  Matt Messier <mmessier@prilnari.com> took a
look, and determined that at least some of them are definitely
remotely exploitable.

Like the last round of vulnerabilities, these problems affect all
Icecast users.  The icecast team has released version 1.3.10 to
correct these new problems.  Everyone using icecast should upgrade
immediately.  The dist is available from www.icecast.org.

Also, to clarify Icecast 1.3.9 not only fixed several buffer overflows
we discovered, but it also (finally) fixed the format string
vulnerabilities that were announced here on bugtraq in January.

Finally, I'd like to encourage qualified people to seriously audit
Icecast (in particular, their forthcoming 2.0 version).  It's a widely
used piece of free software that hasn't had the benefit of that kind
of expert scrutiny yet.  Even though we looked at the code a bit, we
(unfortunately) do not have the time for a full audit.  The
development team is full of great people who are very humble, and
they'd appreciate any help that the community has to offer.

John


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC