A vulnerability discovered in Icecast streaming media server could be leveraged by an attacker to kill the broadcast of online radio stations that rely on it to reach their audience.
The flaw is sufficient to trigger a segmentation fault in the server process - an access violation condition that leads to a crash. A theoretical risk exists for remote code execution. An attacker could achieve this with sufficiently long, specially crafted HTTP headers.
Maintained by the Xiph.org Foundation, Icecast supports both audio and video data. Because it is available under a free software license and has support for open standards for communication, Icecast is a popular choice for creating an online radio station.
A patch is included in the latest version of the software, whose changelog describes the issue as a buffer overflow that affects Icecast versions 2.4.0, 2.4.1, 2.4.2 or 2.4.3 "if there is a “mount” definition that enables URL authentication.
The security bug stems from choosing the 'snprintf' function that redirects the data output to a buffer, over 'sprintf' to avoid buffer overflow issues by truncating the output if the buffer is not sufficiently large.
Making this choice is not necessarily a safer bet when a specific condition is met. Nick Rolfe of Semmle Security Research Team says that the 'snprintf' function does not offer protection against buffer overflows "if you provide a size argument that's larger than the actual size of the buffer."
Rolfe found the bug using LGTM, a software utility that automates the discovery of vulnerabilities in code based on specific search patterns. In this case, it was a standard query that triggered an alert when the 'snprintf' function was used without proper checks.
In a technical blog post, the expert explains that the giveaway was the size argument that was"derived from the return value of a previous call to snprintf."
The vulnerability is now tracked as CVE-2018-18820. Xiph received the details about the bug and a proof-of-concept exploit on October 16 and acknowledged it on the same day. A fix is available in Icecast 2.4.4, released on November 1.