Icecast - Mar 2005 - [Fwd: IceCast up to v2.20 multiple vulnerabilities]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,
did you happen to see this recent post to bugtraq?  If so, I apologize.
 I haven't been keeping up with the archives since everything has been
running so smoothly. ;)
- --Stauf

- -------- Original Message --------
Subject: IceCast up to v2.20 multiple vulnerabilities
Date: 18 Mar 2005 22:31:14 -0000
From: Patrick <patrickthomassen@gmail.com>
To: bugtraq@securityfocus.com



These are tested on IceCast v2.20. This software can be freely obtained
from http://www.icecast.org.

"Icecast is a streaming media server which currently supports Ogg
Vorbis and MP3 audio streams. It can be used to create an Internet
radio station or a privately running jukebox and many things in
between. It is very versatile in that new formats can be added
relatively easily and supports open standards for commuincation and
interaction."

1) The XSL parser has some unchecked buffers (local), but they dont seem
to be exploitable. If they are, they can be used for priviledge
escalation, under the user that the server runs.

<xsl:when test="<lots of chars>"></xsl:when>
<xsl:if test="<lots of chars>"></xsl:if>
<xsl:value-of select="<lots of chars>" />

2) Cause XSL parser error "Could not parse XSLT file". (Not very
useful).

GET /status.xsl> HTTP/1.0
GET /status.xsl< HTTP/1.0
GET /<status.xsl HTTP/1.0

3) XSL parser bypass. (Useful to steal customized XSL files, lol).

GET /auth.xsl. HTTP/1.0
GET /status.xsl. HTTP/1.0

- --


| " Yesterday upon the stair I met a man who wasn't there.
|   He wasn't there again today. I wish that man would go away."
|                   <[Hughes Mearns]>
| Latest Public Key: http://www.freshcheese.net/~stauf/stauf.gpg
- -----------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCO+Hbes/ougteP9sRAtgSAJ9nYFhudOMpVuyqZm0jNZRWlYgc+ACfQ7/G
mImqUQFEVENmvtgI1F/1ucg=MUwH
-----END PGP SIGNATURE-----

On Sat, 19 Mar 2005 01:24:59 -0700, Stauf <stauf@freshcheese.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hey all,
> did you happen to see this recent post to bugtraq?  If so, I apologize.
>  I haven't been keeping up with the archives since everything has been
> running so smoothly. ;)
> - --Stauf
Nope, hadn't seen these. I guess this person didn't think contacting
the icecast developers in any way was a good idea. Which isn't very
helpful. Thanks for forwarding.
> 
> 1) The XSL parser has some unchecked buffers (local), but they dont seem
> to be exploitable. If they are, they can be used for priviledge
> escalation, under the user that the server runs.
> 
> <xsl:when test="<lots of chars>"></xsl:when>
> <xsl:if test="<lots of chars>"></xsl:if>
> <xsl:value-of select="<lots of chars>" />
Not sure what this is about, really. If whatever it is is exploitable,
it sounds like it requires a custom xsl file. Since the xsl files are
in the filesystem, and presumably only editable by the icecast user
anyway, I don't see that you could do anything with it.

> 
> 2) Cause XSL parser error "Could not parse XSLT file". (Not very
useful).
> 
> GET /status.xsl> HTTP/1.0
> GET /status.xsl< HTTP/1.0
> GET /<status.xsl HTTP/1.0
The third of these is definately not a bug. The first two shouldn't be
being picked up as being xsl requests to begin with (because the url
doesn't end with ".xsl", so there's probably a bug somewhere.
Possibly
the same bug as the next item...

> 
> 3) XSL parser bypass. (Useful to steal customized XSL files, lol).
> 
> GET /auth.xsl. HTTP/1.0
> GET /status.xsl. HTTP/1.0
Unlikely to disclose any sensitive information in practice, but
clearly a (minor) security bug that needs fixing. This _should_ just
be falling through to generic fileserving, and failing to find a file
called "auth.xsl.", and so giving a 404.

Mike

> 1) The XSL parser has some unchecked buffers (local), but they dont seem
> to be exploitable. If they are, they can be used for priviledge
> escalation, under the user that the server runs.
> 
> <xsl:when test="<lots of chars>"></xsl:when>
> <xsl:if test="<lots of chars>"></xsl:if>
> <xsl:value-of select="<lots of chars>" />
> 
> 2) Cause XSL parser error "Could not parse XSLT file". (Not very
useful).
> 
> GET /status.xsl> HTTP/1.0
> GET /status.xsl< HTTP/1.0
> GET /<status.xsl HTTP/1.0
> 
> 3) XSL parser bypass. (Useful to steal customized XSL files, lol).
> 
> GET /auth.xsl. HTTP/1.0
> GET /status.xsl. HTTP/1.0

For what it's worth, 2) and 3) aren't reproducible with the current
version (from svn). To my knowledge, there have been no relevant
changes here since 2.2, I'd be very surprised if they were
reproducible with 2.2 (or earlier?), but I don't really have the time
to test. I still don't know what 1) is about, so I'm not sure if that
matters.

Mike

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Smith wrote:
>>1) The XSL parser has some unchecked buffers (local), but they dont seem
>>to be exploitable. If they are, they can be used for priviledge
>>escalation, under the user that the server runs.
>>
>><xsl:when test="<lots of chars>"></xsl:when>
>><xsl:if test="<lots of chars>"></xsl:if>
>><xsl:value-of select="<lots of chars>" />
>>
>>2) Cause XSL parser error "Could not parse XSLT file". (Not
very useful).
>>
>>GET /status.xsl> HTTP/1.0
>>GET /status.xsl< HTTP/1.0
>>GET /<status.xsl HTTP/1.0
>>
>>3) XSL parser bypass. (Useful to steal customized XSL files, lol).
>>
>>GET /auth.xsl. HTTP/1.0
>>GET /status.xsl. HTTP/1.0
> 
> 
> 
> For what it's worth, 2) and 3) aren't reproducible with the current
> version (from svn). To my knowledge, there have been no relevant
> changes here since 2.2, I'd be very surprised if they were
> reproducible with 2.2 (or earlier?), but I don't really have the time
> to test. I still don't know what 1) is about, so I'm not sure if
that
> matters.
> 
> Mike
Well, to be perfectly blunt, when I read this "security" post on
bugtraq, I didn't know if I should laugh or cry.  I had an inkling no
one has been contacted on the list, and frankly it looks like someone is
trying to get their name on bugtraq with another uselessly vague "OMG
LOL zer0 day1@#$" worded mail.

If the poster had even included some poc code, or some suggestions about
why he precieved things to be exploits I would take it seriously. Here,
since I see nothing of the sort, I'm shrugging this one off.

Thanks for the great job guys, keep it up.
- --


| " Yesterday upon the stair I met a man who wasn't there.
|   He wasn't there again today. I wish that man would go away."
|                   <[Hughes Mearns]>
| Latest Public Key: http://www.freshcheese.net/~stauf/stauf.gpg
- -----------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCPoV2es/ougteP9sRAhx6AKDBZClLojNiKlanWqaAP1LbmP30hwCgz2En
8JwhUDRvEc59mOLEjk83qV8=SwiD
-----END PGP SIGNATURE-----