Icecast - Aug 2004 - (Fwd) [SA11578] Icecast Basic Authorization Denial of Service

For those who haven't yet received this warning yet.

Anybody from the core can tell about the background and possible 
fixes?

<p>Regards,
 Stefan

------- Forwarded message follows -------
Date sent:      	Wed, 12 May 2004 13:50:17 +0200
To:             	secunia_security_advisories@stefan-neufeind.de
Subject:        	[SA11578] Icecast Basic Authorization Denial of Service
Vulnerability
From:           	Secunia Security Advisories <sec-adv@secunia.com>

<p>TITLE:
Icecast Basic Authorization Denial of Service Vulnerability

SECUNIA ADVISORY ID:
SA11578

VERIFY ADVISORY:
http://secunia.com/advisories/11578/

CRITICAL:
Moderately critical

IMPACT:
DoS

WHERE:
>From remote
SOFTWARE:
Icecast 2.x

DESCRIPTION:
ned has discovered a vulnerability in Icecast, which can be exploited
by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an out-of-bounds read error within
the web interface when handling Basic Authorization requests. This
can be exploited to crash the application by passing a specially
crafted, overly long string (about 3000 bytes) in a "Authorization:"
header.

The vulnerability has been confirmed in version 2.0.0 for Windows.
Other versions may also be affected.

SOLUTION:
Filter access to the service (default port 8000/TCP) in a firewall or
proxy server.

PROVIDED AND/OR DISCOVERED BY:
ned

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

<p>Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
secunia_security_advisories@stefan-neufeind.de">http://secunia.com/sec_adv_unsubscribe/?email=secunia_security_advisories@stefan-neufeind.de</a>

----------------------------------------------------------------------
------- End of forwarded message -------
--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

This issue was identified about a month ago and a fix (by Mike) is 
currently in SVN...it would probably make sense to do a patch release, or 
even better, expedite the 2.1 release.

oddsock
At 09:35 AM 5/12/2004, you wrote:
> > Anybody from the core can tell about the background and possible
> > fixes?
>
> > TITLE:
> > Icecast Basic Authorization Denial of Service Vulnerability
>
>I'm all for full and immediate disclosure, but I feel like these people
>should at least send us a Cc: on these announcements.  Isn't the point
>to get us to fix them? :)
>
>In any case, this is probably an easy fix.
>
>jack.
>--- >8 ----
>List archives:  http://www.xiph.org/archives/
>icecast project homepage: http://www.icecast.org/
>To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
>containing only the word 'unsubscribe' in the body.  No subject is
needed.
>Unsubscribe messages sent to the list will be ignored/filtered.
<p>--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

On Thursday 13 May 2004 00:35, Jack Moffitt wrote:
> > Anybody from the core can tell about the background and possible
> > fixes?
> >
> > TITLE:
> > Icecast Basic Authorization Denial of Service Vulnerability
>
> I'm all for full and immediate disclosure, but I feel like these people
> should at least send us a Cc: on these announcements.  Isn't the point
> to get us to fix them? :)
>
> In any case, this is probably an easy fix.
>
> jack.
They did give us some up-front notice, and I fixed the bug (it's
'only' a
difficult-to-trigger DoS - I couldn't trigger it with the directions given),
nobody could use it to break into a system. 

I meant to do the whole release thing as a result, but I've been tied up
with
trying to find a new place to live. Sorry.

Mike

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

> Anybody from the core can tell about the background and possible 
> fixes?
> TITLE:
> Icecast Basic Authorization Denial of Service Vulnerability
I'm all for full and immediate disclosure, but I feel like these people
should at least send us a Cc: on these announcements.  Isn't the point
to get us to fix them? :)

In any case, this is probably an easy fix.

jack.
--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.