** Digit-Labs Security Advisory (http://www.digit-labs.org/) ** Advisory Name: Security-issues with Icecast Version 1.3.7 Release Date: Application: Tested on Icecast Version 1.3.7 Platform: Windows 2000 Professional Severity: Medium Author(s): GoLLuM.no [mailto:gollum@digit-labs.org] Vendor Status: Unknown Executive Summary: Icecast is an audio-streaming server for Unix and Windows(C)(TM). Only the Windows version has been tested. Icecast allows for remote administration and client access by a web-interface. Icecast is used mainly by radio-stations to broadcast audio on the internet. Icecast does not need the presence of any particular web-server, it handles all http-requests itself. I have discovered the following: - remote DoS attack, - folder traversal exploit. Detailed Description: * Remote DoS attack * If the server has enabled http-server file streaming support, a malicious client can perform a DoS remotely. Http-server file streaming support is not enabled by default, but is enabled by altering the variable "staticdir" in the configuration-file "icecast.conf". The DoS causes an "Application Error" in Windows, thus crashing the Icecast-server completely. The DoS is caused by adding an extra "/" or "\" after the requested mp3-file. * Folder traversal exploit * Mp3-files residing outside the Web catalog can be accessed by replacing ascii-values for each ".", thus using "/%25%25/" instead of "/../" will walk one folder downward. Proof-of-concept: * Remote DoS attack * Complete the following steps to recreate the DoS 1. Start your Icecast-server 2. Place a mp3-file named "test.mp3" in the directory you specified in the variable "staticdir" 3. Open a web-browser and type: "http://www.someserver.zom:8000/file/test.mp3/" * Folder traversal exploit * Place a mp3-file named "test1.mp3" in the directory below the one you specified in the variable "staticdir". Then write the following in your browser: http://localhost:8000/file/../test1.mp3 - Will fail in getting the file http://localhost:8000/file/%2E%2E/test1.mp3 - Will succeed in getting the file