A vulnerability in Icecast, an open-source streaming media server used by online radio stations to broadcast their content, could be used to knock a station off-air.
It also could potentially allow remote code-execution.
Icecast is maintained by the Xiph.org Foundation, and it supports tens of thousands of MP3 and other audio/video streams every day across the globe, mainly for independent radio stations and personal jukeboxes. The flaw (CVE-2018-18820) exists in the URL authentication mechanism used by the Icecast code, which uses something called a “snprintf” function to avoid buffer overflow issues. That’s because snprintf makes it possible to define the maximum number of characters that can be written to a buffer, and it automatically truncates a string if it’s too long.
Ironically, the way Icecast implemented snprintf does not in fact offer protection against buffer overflows – it’s actually quite the opposite. The code “provides a size argument [character limit] that’s larger than the actual size of the buffer,” according to Nick Rolfe of Semmle Security Research Team, in a technical analysis of the flaw. He added, “What people often don’t realize is that, when it truncates, snprintf does not return the number of bytes it wrote. In fact, it returns the number of bytes it would have written if the output buffer were big enough.”
It means that a malicious client could send long, specially crafted HTTP headers, which would cause a buffer overflow that would overwrite the server’s stack contents – allowing theoretical remote code-execution.
Specifically, the vulnerable code “loops over HTTP headers from a user request and copies them into a buffer, building the body of a POST request to send to an authentication server,” Rolfe explained. “This means we can send one long HTTP header that will get truncated, but whose length will allow us to position [the extra bytes] anywhere in the stack we choose. Then, we can send a second HTTP header whose contents will be written to that location.”
The issue affects all Icecast servers running versions 2.4.0 to 2.4.3 that use URL authentication. The vulnerability and a proof-of-concept (PoC) exploit was disclosed privately to Xiph on Oct. 16, Xiph acknowledged the flaw the same day and issued a patched version (2.4.4) two weeks later on Nov. 1.
However, the streaming platform’s authors turned down the volume, so to speak, on the risk that CVE-2018-18820 poses.
“We currently do not believe that this issue is exploitable,” Icecast said in its patch notice. “It would require a malicious URL authentication back-end server to send a crafted payload and make it through libcURL.”
Rolfe acknowledged that the way header sanitization is performed means that attackers are limited in what data they can write to the stack.
“My proof-of-concept exploit only caused a segfault in the server process— effectively a denial-of-service attack—but I suspect a sufficiently motivated and clever attacker would be able to upgrade this attack to achieve full-blown remote code-execution,” he said.