Advisory

From: gollum (gollumat_private)
Date: Tue Jun 26 2001 - 08:14:04 PDT

Next message: Support Info: "Security Update: [CSSA-2001-022.1] buffer overflow in fetchmail"

Previous message: Pavol Luptak: "Re: smbd remote file creation vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!
------
Attached is our latest advisory.

GoLLuM.no, Digit-Labs.







_________________________________________________________
Get your own FREE evilemail.com Email account at...
http://www.evilemail.com

EvilEmail.com - Free email for the living and the dead.
_________________________________________________________

('binary' encoding is not supported, stored as-is) ** Digit-Labs Security Advisory (http://www.digit-labs.org/) ** Advisory Name: Security-issues with Icecast Version 1.3.7 Release Date: Application: Tested on Icecast Version 1.3.7 Platform: Windows 2000 Prof Severity: Medium Author(s): GoLLuM.no [mailto:gollum@digit-labs.org] Vendor Status: Unknown Executive Summary: Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the Window version has been tested. Icecast allows for remote administration and client access by a web-interface. Icecast is used mainly by radio-stations to broadcast audio on the internet. Icecast does not need a presence of any particular web-server, it handles all http-requests by itself. I have discovered the following: - remote DoS attack, - folder traversal exploit. Detailed Description: * Remote DoS attack * If the server has enabled the http-server file streaming support, a malicious client can perform a DoS remeotly. Http-server file streaming support is not enabled by default, but is enabled by altering variable "staticdir" in the configuration-file "icecast.conf". The DoS causes an "Application Error" in Windows, thus crashing the Icecast-server completely. The DoS is caused by adding an extra "/" or "\" behind the requested mp3-file. * Folder traversal exploit * Mp3-files residing outside the Web catalog can be accessed by replacing ascii-values for each ".", thus using "/%25%25/" instead of "/../" will walk one folder downward. Proof-of-consept: * Remote DoS attack * Complete the following steps to recreate the DoS 1. Start your Icecast-server 2. Place a mp3-file named "test.mp3" in the directory you specified in the variable "staticdir" 3. Open a web-browser and type "http://www.someserver.zom:8000/file/test.mp3/" * Folder traversal exploit * Place a mp3-file named "test1.mp3" in the directory below the one you specified in the variable "staticdir". Then write the following in your browser: http://localhost:8000/file/../test1.mp3 - Will fail in getting the file http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file Links: -http://www.icecast.org/

Next message: Support Info: "Security Update: [CSSA-2001-022.1] buffer overflow in fetchmail"
Previous message: Pavol Luptak: "Re: smbd remote file creation vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 14:02:25 PDT