Icecast - Aug 2004 - [dizznutt@my.security.nl: icecast 1.3.11 remote shell/root exploit - #temp]

Contrary to the report, this only affect 1.3.x version of icecast, not
_all_ versions.

But this is a serious problem and I do hope you all took my advice last
time and aren't running icecast as root.

I'll try to have a patch today.

jack.

----- Forwarded message from dizznutt@my.security.nl -----

Date: Tue, 2 Apr 2002 07:51:55 +0000 (GMT+00:00)
From: dizznutt@my.security.nl
To: bugtraq@securityfocus.com
Cc: team@icecast.org
Subject: icecast 1.3.11 remote shell/root exploit - #temp
X-Spam-Status: No, hits=0.6 required=10.0 tests=NO_REAL_NAME version=2.11

Ola,

I'm feeling rather homicidal today so I'm killing a bug. I hope it has a
nice funeral. It has been a good friend to all of us. May it rest in peace.

There is a remotely exploitable buffer overflow in all versions of the Icecast 
mp3 streaming server (www.icecast.org). All means that yes, the current 
version (1.3.11) is vulnerable. Apparently alot of people can't be bothered 
to set the perms on the icecast log dirs right and just run it as root. 
Hence the designation remote shell/root. If not running with uid 0 it will 
yield a shell with the uid/gid of the icecast user.

The vendor has been notified via a cc of this mail. Fixing is easy so I 
expect they will release patches shortly. 

See the attached exploit (icx.c) for further details.

diz -- #temp

eww..so that's what full disclosure feels like...

<p>----- End forwarded message -----

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

> I know how to get the passwords from a typical install of icecast.  anyone
have any ideas on what I should do with this info?
> Should I just post it here in the public?  I think the worst that will
happen is someone can highack a server and cut off the
> current stream and fed a new stream.
Why don't you send it to me first :)

That way I can begin work on a fix regardless of when you publish the
info.

jack.

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

I know how to get the passwords from a typical install of icecast.  anyone have
any ideas on what I should do with this info?
Should I just post it here in the public?  I think the worst that will happen is
someone can highack a server and cut off the
current stream and fed a new stream.

Carl

<p>--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.