thr3ads.net - Icecast - [Icecast] Icecast exploits? [Nov 2023]

If this information is useful, please help other people find it:
Share via:

Philipp Schafft

2023-Nov-24 03:45 UTC

[Icecast] Icecast exploits?

Good afternoon,

On Thu, 2023-11-23 at 10:27 -0600, Jack Elliott wrote:> [...]
> But I ask if there is any history of someone with the source password
> hacking into the server computer to do Bad Things?
There is no way to "hack into the server computer" using the source
password with only Icecast.

What you can do using the source password is to... connect a source.
Generally if you cannot trust your sources avoid using the global
source password. Give everyone a personal username and password and
only allow that on the given mount point when they are allowed to
stream to it.

At very least you should invalidate any credentials you gave someone
when that person leaves your team. ;)

With best regards,

-- 
Philipp Schafft (CEO/Gesch?ftsf?hrer)
Telephone:???????????+49.3535 490 17 92
Website:?????????????https://www.loewenfelsen.net/
Follow us:???????????https://www.linkedin.com/company/loewenfelsen/
Gesch?ftsf?hrer/CEO: Philipp Schafft

L?wenfelsen UG (haftungsbeschr?nkt)?????Registration number:
Bickinger Stra?e 21?????????????????????HRB 12308 CB
04916 Herzberg (Elster)?????????????????VATIN/USt-ID:
Germany?????????????????????????????????DE305133015

Jack Elliott

2023-Nov-24 14:37 UTC

head link

[Icecast] Icecast exploits?

Thank you, Philipp. It was things like buffer overflow attacks once 
connected as a source that I was concerned about. It's reassuring to 
hear that Icecast server is not exploitable. The Best Practices you 
suggested are good ones, I'll discuss them with station management.

-- 
Jack Elliott
Director of Classical Music Programming
High Desert Community Radio
KPOV Bend, Oregon

On 11/23/23 9:45 PM, Philipp Schafft wrote:> Good afternoon,
>
> On Thu, 2023-11-23 at 10:27 -0600, Jack Elliott wrote:
>> [...]
>> But I ask if there is any history of someone with the source password
>> hacking into the server computer to do Bad Things?
> There is no way to "hack into the server computer" using the
source
> password with only Icecast.
>
> What you can do using the source password is to... connect a source.
> Generally if you cannot trust your sources avoid using the global
> source password. Give everyone a personal username and password and
> only allow that on the given mount point when they are allowed to
> stream to it.
>
> At very least you should invalidate any credentials you gave someone
> when that person leaves your team. ;)
>
>
> With best regards,
>

Seemingly Similar Threads

Search for more possibly parallel threads

Icecast - Nov 2023 - Icecast exploits?

[Icecast] Icecast exploits?

[Icecast] Icecast exploits?

Seemingly Similar Threads