Icecast - Aug 2004 - Full analysis of the remotely exploitable icecast 1.3.x bugs

Hello Icecast folks,

Attached is an analysis I slapped together detailing the exact specifics 
of the bug that is exploited with the icecast exploit I disclosed earlier 
this week. Furthermore it details another remotely exploitable bug. I sent 
this to team@icecast.org and to Jack Moffit, but have not received a response 
as of yet. So if people, like I noticed in the icecast@xiph.org list, are 
weary off applying the temporary greater than 8000 bytes string check patch 
to client.c (which makes sure you have a 192 byte buffer left for your server 
hostname and stream port..and would thus catch pretty much all possible 
attacks using said bugs) They can have a look at this analysis and apply 
temporary fixes themselfs. Untill the Icecast dev team sees it fit to release 
official patches. 

Oh and in response to the "I know how to get passwords on a default
install".
Isn't that just doable by going to http://example.icecast.server:8000/admin 
right after a default install?

If this list does not allow attachments you can also find said analysis 
at:

http://online.securityfocus.com/archive/1/265719

Oh and if people want to test their local systems against this bug..you 
can aquire the exploit at:
(it should be noted that this version of the exploit is just meant for linux 
x86 targets. This does not mean this bug is not exploitable on other platforms)

http://www.packetstormsecurity.nl/filedesc/icx.c.html

<p>ltr,
diz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: icecast.txt
Type: application/octet-stream
Size: 4808 bytes
Desc: icecast.txt
Url :
http://lists.xiph.org/pipermail/icecast/attachments/20020406/885b462f/icecast.obj

> > Isn't that just doable by going to
http://example.icecast.server:8000/admin
> > right after a default install?
> 
> Correct.  I tried it on one other server, got the list of sets, reported
it, and have yet to find a 3rd server.  after about the 5th
> attempt, I gave up trying.
I can't reproduce this, but have gotten several reports.  So I'm
confused.

jack.

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

> Oh and in response to the "I know how to get passwords on a default
install".
> Isn't that just doable by going to
http://example.icecast.server:8000/admin
> right after a default install?
Correct.  I tried it on one other server, got the list of sets, reported it, and
have yet to find a 3rd server.  after about the 5th
attempt, I gave up trying.

Carl

<p>--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.