Stefan Neufeind
2004-Aug-06 14:23 UTC
[icecast] (Fwd) [SA11578] Icecast Basic Authorization Denial of Service
For those who haven't yet received this warning yet. Anybody from the core can tell about the background and possible fixes? <p>Regards, Stefan ------- Forwarded message follows ------- Date sent: Wed, 12 May 2004 13:50:17 +0200 To: secunia_security_advisories@stefan-neufeind.de Subject: [SA11578] Icecast Basic Authorization Denial of Service Vulnerability From: Secunia Security Advisories <sec-adv@secunia.com> <p>TITLE: Icecast Basic Authorization Denial of Service Vulnerability SECUNIA ADVISORY ID: SA11578 VERIFY ADVISORY: http://secunia.com/advisories/11578/ CRITICAL: Moderately critical IMPACT: DoS WHERE:>From remoteSOFTWARE: Icecast 2.x DESCRIPTION: ned has discovered a vulnerability in Icecast, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an out-of-bounds read error within the web interface when handling Basic Authorization requests. This can be exploited to crash the application by passing a specially crafted, overly long string (about 3000 bytes) in a "Authorization:" header. The vulnerability has been confirmed in version 2.0.0 for Windows. Other versions may also be affected. SOLUTION: Filter access to the service (default port 8000/TCP) in a firewall or proxy server. PROVIDED AND/OR DISCOVERED BY: ned ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ <p>Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories secunia_security_advisories@stefan-neufeind.de">http://secunia.com/sec_adv_unsubscribe/?email=secunia_security_advisories@stefan-neufeind.de</a> ---------------------------------------------------------------------- ------- End of forwarded message ------- --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
oddsock
2004-Aug-06 14:23 UTC
[icecast] (Fwd) [SA11578] Icecast Basic Authorization Denial of Service
This issue was identified about a month ago and a fix (by Mike) is currently in SVN...it would probably make sense to do a patch release, or even better, expedite the 2.1 release. oddsock At 09:35 AM 5/12/2004, you wrote:> > Anybody from the core can tell about the background and possible > > fixes? > > > TITLE: > > Icecast Basic Authorization Denial of Service Vulnerability > >I'm all for full and immediate disclosure, but I feel like these people >should at least send us a Cc: on these announcements. Isn't the point >to get us to fix them? :) > >In any case, this is probably an easy fix. > >jack. >--- >8 ---- >List archives: http://www.xiph.org/archives/ >icecast project homepage: http://www.icecast.org/ >To unsubscribe from this list, send a message to 'icecast-request@xiph.org' >containing only the word 'unsubscribe' in the body. No subject is needed. >Unsubscribe messages sent to the list will be ignored/filtered.<p>--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Michael Smith
2004-Aug-06 14:23 UTC
[icecast] (Fwd) [SA11578] Icecast Basic Authorization Denial of Service
On Thursday 13 May 2004 00:35, Jack Moffitt wrote:> > Anybody from the core can tell about the background and possible > > fixes? > > > > TITLE: > > Icecast Basic Authorization Denial of Service Vulnerability > > I'm all for full and immediate disclosure, but I feel like these people > should at least send us a Cc: on these announcements. Isn't the point > to get us to fix them? :) > > In any case, this is probably an easy fix. > > jack.They did give us some up-front notice, and I fixed the bug (it's 'only' a difficult-to-trigger DoS - I couldn't trigger it with the directions given), nobody could use it to break into a system. I meant to do the whole release thing as a result, but I've been tied up with trying to find a new place to live. Sorry. Mike --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Jack Moffitt
2004-Aug-06 14:23 UTC
[icecast] (Fwd) [SA11578] Icecast Basic Authorization Denial of Service
> Anybody from the core can tell about the background and possible > fixes?> TITLE: > Icecast Basic Authorization Denial of Service VulnerabilityI'm all for full and immediate disclosure, but I feel like these people should at least send us a Cc: on these announcements. Isn't the point to get us to fix them? :) In any case, this is probably an easy fix. jack. --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Apparently Analagous Threads
- (Fwd) [SA11578] Icecast Basic Authorization Denial of Service
- iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability
- Re: [NBDKIT SECURITY] Denial of Service / Amplification Attack in nbdkit
- What about FreeBSD? - KAME Project "ipcomp6_input()" Denial of Service
- sieve security problem