SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Icecast Vendors:   Icecast.org
(Gentoo Issues Fix) icecast Heap Overflow in Processing Basic Authentication Lets Remote Users Crash the Service
SecurityTracker Alert ID:  1010225
SecurityTracker URL:  http://securitytracker.com/id/1010225
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 19 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.0
Description:   A heap overflow vulnerability was reported in icecast. A remote user can cause the icecast service to crash and may be able to execute arbitrary code on the target system [but code execution was not confirmed in the report].

ned reported that the flaw resides in the processing of Base64 HTTP Basic Authorization request. A remote user can send a specially crafted HTTP GET request to trigger the overflow and cause the target service to crash.

A demonstration exploit script is provided in the Source Message [it is Base64 encoded].

The vendor has reportedly been notified.

Impact:   A remote user can cause the target service to crash. A remote user may be able to execute arbitrary code [but that was not confirmed in the report].
Solution:   Gentoo has released a fix and indicates that all users of Icecast should upgrade to the latest stable version:

# emerge sync

# emerge -pv ">=net-misc/icecast-2.0.1"
# emerge ">=net-misc/icecast-2.0.1"

Vendor URL:  www.icecast.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
May 10 2004 icecast Heap Overflow in Processing Basic Authentication Lets Remote Users Crash the Service



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200405-10 ] Icecast denial of service vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200405-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Icecast denial of service vulnerability
      Date: May 19, 2004
      Bugs: #50935
        ID: 200405-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Icecast is vulnerable to a denial of service attack allowing remote
users to crash the application.

Background
==========

Icecast is a program that streams audio data to listeners over the
Internet.

Affected packages
=================

    -------------------------------------------------------------------
     Package           /   Vulnerable   /                   Unaffected
    -------------------------------------------------------------------
  1  net-misc/icecast       <= 2.0.0                          >= 2.0.1

Description
===========

There is an out-of-bounds read error in the web interface of Icecast
when handling Basic Authorization requests. This vulnerability can
theorically be exploited by sending a specially crafted Authorization
header to the server.

Impact
======

By exploiting this vulnerability, it is possible to crash the Icecast
server remotely, resulting in a denial of service attack.

Workaround
==========

There is no known workaround at this time. All users are advised to
upgrade to the latest available version of Icecast.

Resolution
==========

All users of Icecast should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=net-misc/icecast-2.0.1"
    # emerge ">=net-misc/icecast-2.0.1"

References
==========

  [ 1 ] Icecast 2.0.1 announcement
        http://www.xiph.org/archives/icecast/7144.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

     http://security.gentoo.org/glsa/glsa-200405-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAq53RvcL1obalX08RAqcNAJ4gZ4YdpevFjkRpLI5T2k7X/V7swACdGDOZ
ZJxICcqzvaB5M8+ZvEMoWdQ=
=kl6m
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC