Icecast - Nov 2023 - Icecast exploits?

Thank you, Philipp. It was things like buffer overflow attacks once 
connected as a source that I was concerned about. It's reassuring to 
hear that Icecast server is not exploitable. The Best Practices you 
suggested are good ones, I'll discuss them with station management.

-- 
Jack Elliott
Director of Classical Music Programming
High Desert Community Radio
KPOV Bend, Oregon

On 11/23/23 9:45 PM, Philipp Schafft wrote:
> Good afternoon,
>
> On Thu, 2023-11-23 at 10:27 -0600, Jack Elliott wrote:
>> [...]
>> But I ask if there is any history of someone with the source password
>> hacking into the server computer to do Bad Things?
> There is no way to "hack into the server computer" using the
source
> password with only Icecast.
>
> What you can do using the source password is to... connect a source.
> Generally if you cannot trust your sources avoid using the global
> source password. Give everyone a personal username and password and
> only allow that on the given mount point when they are allowed to
> stream to it.
>
> At very least you should invalidate any credentials you gave someone
> when that person leaves your team. ;)
>
>
> With best regards,
>

On 24 Nov 2023, at 15:37, Jack Elliott wrote:
> Thank you, Philipp. It was things like buffer overflow attacks once
connected as a source that I was concerned about. It's reassuring to hear
that Icecast server is not exploitable. The Best Practices you suggested are
good ones, I'll discuss them with station management.
>
I don?t think you can assert with absolute confidence for any system that it
cannot be exploited. (Except
maybe if its formally proven, but even then it would only affect that one
component, not lower levels like
the kernel its running on and so on?)

The question in itself does not make much sense honestly, as it would imply
knowing about exploits in Icecast,
but if we knew of any, of course we would have fixed them already.

Note that older versions of Icecast sometimes did have security relevant issues
with
varying degrees of severity. Just like with any software. You can find a list
here:

https://www.cvedetails.com/vulnerability-list/vendor_id-693/Icecast.html
> -- 
> Jack Elliott
> Director of Classical Music Programming
> High Desert Community Radio
> KPOV Bend, Oregon
>
> On 11/23/23 9:45 PM, Philipp Schafft wrote:
>> Good afternoon,
>>
>> On Thu, 2023-11-23 at 10:27 -0600, Jack Elliott wrote:
>>> [...]
>>> But I ask if there is any history of someone with the source
password
>>> hacking into the server computer to do Bad Things?
>> There is no way to "hack into the server computer" using the
source
>> password with only Icecast.
>>
>> What you can do using the source password is to... connect a source.
>> Generally if you cannot trust your sources avoid using the global
>> source password. Give everyone a personal username and password and
>> only allow that on the given mount point when they are allowed to
>> stream to it.
>>
>> At very least you should invalidate any credentials you gave someone
>> when that person leaves your team. ;)
>>
>>
>> With best regards,
>>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast