David Kramer
2004-Aug-06 14:23 UTC
[icecast] Funky password mount point error for liveice and ic ecast - PLZ HL P!
Pete - Thanks for the hack, I've gone in an adjusted the necessary lines(Even though my C is REALLY rusty, cut and paste to the rescue), I re-compiled the source, so hopefully things will work once I get home to test. You mentioned that I shouldnt use this for a Public Production server, is there any other security measures I can take to override this exploit? I had planned on running it public, but maybe not anymore. Im jail root'd and will have the files locked down. Thoughts? DK> -----Original Message----- > From: Pete Flaherty [mailto:pjf@cape.com] > Sent: Wednesday, February 18, 2004 5:09 PM > To: icecast@xiph.org > Subject: RE: [icecast] Funky password mount point error for > liveice and > ic ecast - PLZ HL P! > > > I managed to get liveice working. It has to do with the new icecast2 > security. I've included a 'Hack' to bypass the need for the source to > use the username. Basically they all have a username (internally to > Icecast) of 'source' > > I really think the new authentication mechanism is a plus, > But the rest > of the world not quite bleeding has its drawbacks too. > > I read somewhere that there sill be an option to set the username to > whatever you want ( and hope 'null' is an option for backwards > compatability). > > I believe this will work, mine did, but I was really busy hacking > several other things that night I may have missed someting... > icecast2 - letme-in hack > MRU 20040124 V0.3 pjf@cape.com Pete Flaherty > > This hack is for the connections.c source file, and will make the > username 'source' > Icecast2 requires the use of a username password pair for > authentication. > > Many sources at this poing (eg xmms liveice ) do not supply > any type of > username, > and if they do it is not set to 'source'. This hack willl force the > username to 'source' > without regaurd for what the source program is telling it. > > -- WARNING -- This hack bypasses a small part of the icecast2 > security, > and is not > recommended for public production servers. Tightening of security to > only allow > specific IPs to stream to the server is encouraged. > > Reference the hacked version is from CVS as of Jan 24 2004, > though this > should be > applicable to most icecast2 source code. > > You will need to compile source code to make a working icecast server > > Bypass hack lines | Original source > lines > -------------------- | > --------------------- > //if(mountinfo->username) | > if(mountinfo->username) > mountinfo->username = "source"; | > user > = mountinfo->username > ; > user = "source" ; | break; > break; < > On Wed, 2004-02-18 at 19:45, David Kramer wrote: > > OH MAN THANK YOU!!! I have been pulling my hair trying to > get this $hit to > > work for weeks now. What other DSPs do you recommend > instead of LiveIce? > > Either that or when do you expect the patch to be released? > > > > Thank you so much!!! > > > > DK > > > > > -----Original Message----- > > > From: Michael Smith [mailto:msmith@xiph.org] > > > Sent: Wednesday, February 18, 2004 4:35 PM > > > To: icecast@xiph.org > > > Subject: Re: [icecast] Funky password mount point error for > > > liveice and > > > icecast - PLZ HL P! > > > > > > > > > On Thursday 19 February 2004 10:51, David Kramer wrote: > > > > Im running in a chroot'd environment: > > > > > > > > RH 9.0 > > > > lame-3.93.1 > > > > icecast-2.0.0 > > > > LiveIcePatched-1.0.0 > > > > xmms-1.2.7 > > > > > > > > > > Liveice uses an old protocol which isn't supported in icecast2. > > > I hacked together a patch the other day to make liveice work, > > > someone is > > > putting that together with the intent to release an update to > > > liveice with > > > proper support. > > > > > > Mike > > > > > > --- >8 ---- > > > List archives: http://www.xiph.org/archives/ > > > icecast project homepage: http://www.icecast.org/ > > > To unsubscribe from this list, send a message to > > > 'icecast-request@xiph.org' > > > containing only the word 'unsubscribe' in the body. No > > > subject is needed. > > > Unsubscribe messages sent to the list will be ignored/filtered. > > > > > --- >8 ---- > > List archives: http://www.xiph.org/archives/ > > icecast project homepage: http://www.icecast.org/ > > To unsubscribe from this list, send a message to > 'icecast-request@xiph.org' > > containing only the word 'unsubscribe' in the body. No > subject is needed. > > Unsubscribe messages sent to the list will be ignored/filtered. > -- > -Pete > pjf@cape.com > http://vsa.cape.com/~pjf > http://www.mraudrey.net > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to > 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No > subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered. >--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Pete Flaherty
2004-Aug-06 14:23 UTC
[icecast] Funky password mount point error for liveice and ic ecast - PLZ HL P!
Wel It's a kinda standard disclaimer. Truth is I believe this is as secure as Icecaast1x. But I didn't write the code, and can't be 100% sure..... and of course needs testing. Mine has been running for about 2 weeks now, so if nothing else it's stable -Pete On Wed, 2004-02-18 at 20:47, David Kramer wrote:> Pete - Thanks for the hack, I've gone in an adjusted the necessary > lines(Even though my C is REALLY rusty, cut and paste to the rescue), I > re-compiled the source, so hopefully things will work once I get home to > test. You mentioned that I shouldnt use this for a Public Production > server, is there any other security measures I can take to override this > exploit? I had planned on running it public, but maybe not anymore. Im > jail root'd and will have the files locked down. Thoughts? > > DK > > > -----Original Message----- > > From: Pete Flaherty [mailto:pjf@cape.com] > > Sent: Wednesday, February 18, 2004 5:09 PM > > To: icecast@xiph.org > > Subject: RE: [icecast] Funky password mount point error for > > liveice and > > ic ecast - PLZ HL P! > > > > > > I managed to get liveice working. It has to do with the new icecast2 > > security. I've included a 'Hack' to bypass the need for the source to > > use the username. Basically they all have a username (internally to > > Icecast) of 'source' > > > > I really think the new authentication mechanism is a plus, > > But the rest > > of the world not quite bleeding has its drawbacks too. > > > > I read somewhere that there sill be an option to set the username to > > whatever you want ( and hope 'null' is an option for backwards > > compatability). > > > > I believe this will work, mine did, but I was really busy hacking > > several other things that night I may have missed someting... > > icecast2 - letme-in hack > > MRU 20040124 V0.3 pjf@cape.com Pete Flaherty > > > > This hack is for the connections.c source file, and will make the > > username 'source' > > Icecast2 requires the use of a username password pair for > > authentication. > > > > Many sources at this poing (eg xmms liveice ) do not supply > > any type of > > username, > > and if they do it is not set to 'source'. This hack willl force the > > username to 'source' > > without regaurd for what the source program is telling it. > > > > -- WARNING -- This hack bypasses a small part of the icecast2 > > security, > > and is not > > recommended for public production servers. Tightening of security to > > only allow > > specific IPs to stream to the server is encouraged. > > > > Reference the hacked version is from CVS as of Jan 24 2004, > > though this > > should be > > applicable to most icecast2 source code. > > > > You will need to compile source code to make a working icecast server > > > > Bypass hack lines | Original source > > lines > > -------------------- | > > --------------------- > > //if(mountinfo->username) | > > if(mountinfo->username) > > mountinfo->username = "source"; | > > user > > = mountinfo->username > > ; > > user = "source" ; | break; > > break; < > > On Wed, 2004-02-18 at 19:45, David Kramer wrote: > > > OH MAN THANK YOU!!! I have been pulling my hair trying to > > get this $hit to > > > work for weeks now. What other DSPs do you recommend > > instead of LiveIce? > > > Either that or when do you expect the patch to be released? > > > > > > Thank you so much!!! > > > > > > DK > > > > > > > -----Original Message----- > > > > From: Michael Smith [mailto:msmith@xiph.org] > > > > Sent: Wednesday, February 18, 2004 4:35 PM > > > > To: icecast@xiph.org > > > > Subject: Re: [icecast] Funky password mount point error for > > > > liveice and > > > > icecast - PLZ HL P! > > > > > > > > > > > > On Thursday 19 February 2004 10:51, David Kramer wrote: > > > > > Im running in a chroot'd environment: > > > > > > > > > > RH 9.0 > > > > > lame-3.93.1 > > > > > icecast-2.0.0 > > > > > LiveIcePatched-1.0.0 > > > > > xmms-1.2.7 > > > > > > > > > > > > > Liveice uses an old protocol which isn't supported in icecast2. > > > > I hacked together a patch the other day to make liveice work, > > > > someone is > > > > putting that together with the intent to release an update to > > > > liveice with > > > > proper support. > > > > > > > > Mike > > > > > > > > --- >8 ---- > > > > List archives: http://www.xiph.org/archives/ > > > > icecast project homepage: http://www.icecast.org/ > > > > To unsubscribe from this list, send a message to > > > > 'icecast-request@xiph.org' > > > > containing only the word 'unsubscribe' in the body. No > > > > subject is needed. > > > > Unsubscribe messages sent to the list will be ignored/filtered. > > > > > > > --- >8 ---- > > > List archives: http://www.xiph.org/archives/ > > > icecast project homepage: http://www.icecast.org/ > > > To unsubscribe from this list, send a message to > > 'icecast-request@xiph.org' > > > containing only the word 'unsubscribe' in the body. No > > subject is needed. > > > Unsubscribe messages sent to the list will be ignored/filtered. > > -- > > -Pete > > pjf@cape.com > > http://vsa.cape.com/~pjf > > http://www.mraudrey.net > > > > --- >8 ---- > > List archives: http://www.xiph.org/archives/ > > icecast project homepage: http://www.icecast.org/ > > To unsubscribe from this list, send a message to > > 'icecast-request@xiph.org' > > containing only the word 'unsubscribe' in the body. No > > subject is needed. > > Unsubscribe messages sent to the list will be ignored/filtered. > > > --- >8 ---- > List archives: http://www.xiph.org/archives/ > icecast project homepage: http://www.icecast.org/ > To unsubscribe from this list, send a message to 'icecast-request@xiph.org' > containing only the word 'unsubscribe' in the body. No subject is needed. > Unsubscribe messages sent to the list will be ignored/filtered.-- -Pete pjf@cape.com http://vsa.cape.com/~pjf http://www.mraudrey.net --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.