OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: gollum (gollumevilemail.com)
Date: Tue Jun 26 2001 - 10:14:04 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello!
    ------
    Attached is our latest advisory.

    GoLLuM.no, Digit-Labs.

    _________________________________________________________
    Get your own FREE evilemail.com Email account at...
    http://www.evilemail.com

    EvilEmail.com - Free email for the living and the dead.
    _________________________________________________________

    ('binary' encoding is not supported, stored as-is) ** Digit-Labs Security Advisory (http://www.digit-labs.org/) **

    Advisory Name: Security-issues with Icecast Version 1.3.7
    Release Date:
    Application: Tested on Icecast Version 1.3.7
    Platform: Windows 2000 Prof
    Severity: Medium
    Author(s): GoLLuM.no [mailto:gollumdigit-labs.org]
    Vendor Status: Unknown

    Executive Summary:
    Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the Window version has been tested. Icecast allows for remote administration and client access by a web-interface. Icecast is used mainly by radio-stations to broadcast audio on the internet. Icecast does not need a presence of any particular web-server, it handles all http-requests by itself.

    I have discovered the following:
            - remote DoS attack,
            - folder traversal exploit.

    Detailed Description:

    * Remote DoS attack *
    If the server has enabled the http-server file streaming support, a malicious client can perform a DoS remeotly. Http-server file streaming support is not enabled by default, but is enabled by altering variable "staticdir" in the configuration-file "icecast.conf". The DoS causes an "Application Error" in Windows, thus crashing the Icecast-server completely. The DoS is caused by adding an extra "/" or "\" behind the requested mp3-file.

    * Folder traversal exploit *
    Mp3-files residing outside the Web catalog can be accessed by replacing ascii-values for each ".", thus using "/%25%25/" instead of "/../" will walk one folder downward.

    Proof-of-consept:

    * Remote DoS attack *
    Complete the following steps to recreate the DoS
            1. Start your Icecast-server
            2. Place a mp3-file named "test.mp3" in the directory you specified in the variable "staticdir"
            3. Open a web-browser and type "http://www.someserver.zom:8000/file/test.mp3/"
     
    * Folder traversal exploit *
    Place a mp3-file named "test1.mp3" in the directory below the one you specified in the variable "staticdir".
    Then write the following in your browser:
            http://localhost:8000/file/../test1.mp3 - Will fail in getting the file
            http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file

    Links:
            -http://www.icecast.org/