[21202] in bugtraq
Advisory
daemon@ATHENA.MIT.EDU (gollum)
Tue Jun 26 17:01:22 2001
Date: Tue, 26 Jun 2001 11:14:04 -0400
Message-Id: <200106261114.AA3374448962@evilemail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary="==IMail_v5.0=="
From: "gollum" <gollum@evilemail.com>
Reply-To: <gollum@evilemail.com>
To: <BUGTRAQ@securityfocus.com>, <gov-boi@hack.co.za>, <expert@securiteam.com>
--==IMail_v5.0==
Content-Type: text/plain; charset=us-ascii
Hello!
------
Attached is our latest advisory.
GoLLuM.no, Digit-Labs.
_________________________________________________________
Get your own FREE evilemail.com Email account at...
http://www.evilemail.com
EvilEmail.com - Free email for the living and the dead.
_________________________________________________________
--==IMail_v5.0==
Content-Type: text/plain; name="Security-issues with Icecast Version 1.3.7.txt"
Content-Transfer-Encoding: binary
** Digit-Labs Security Advisory (http://www.digit-labs.org/) **
Advisory Name: Security-issues with Icecast Version 1.3.7
Release Date:
Application: Tested on Icecast Version 1.3.7
Platform: Windows 2000 Prof
Severity: Medium
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Unknown
Executive Summary:
Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the Window version has been tested. Icecast allows for remote administration and client access by a web-interface. Icecast is used mainly by radio-stations to broadcast audio on the internet. Icecast does not need a presence of any particular web-server, it handles all http-requests by itself.
I have discovered the following:
- remote DoS attack,
- folder traversal exploit.
Detailed Description:
* Remote DoS attack *
If the server has enabled the http-server file streaming support, a malicious client can perform a DoS remeotly. Http-server file streaming support is not enabled by default, but is enabled by altering variable "staticdir" in the configuration-file "icecast.conf". The DoS causes an "Application Error" in Windows, thus crashing the Icecast-server completely. The DoS is caused by adding an extra "/" or "\" behind the requested mp3-file.
* Folder traversal exploit *
Mp3-files residing outside the Web catalog can be accessed by replacing ascii-values for each ".", thus using "/%25%25/" instead of "/../" will walk one folder downward.
Proof-of-consept:
* Remote DoS attack *
Complete the following steps to recreate the DoS
1. Start your Icecast-server
2. Place a mp3-file named "test.mp3" in the directory you specified in the variable "staticdir"
3. Open a web-browser and type "http://www.someserver.zom:8000/file/test.mp3/"
* Folder traversal exploit *
Place a mp3-file named "test1.mp3" in the directory below the one you specified in the variable "staticdir".
Then write the following in your browser:
http://localhost:8000/file/../test1.mp3 - Will fail in getting the file
http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file
Links:
-http://www.icecast.org/
--==IMail_v5.0==--
