A new vulnerability has been discovered on Icecast's streaming platform, exploiting which may end the live relay of any station using the platform. Vulnerability is on the server side, and is caused by poor rights setting. By exploiting it, the server crashes, and the relay is interrupted. At the theoretical level, there is the ability to remotely execute code. In order for a hacker to exploit the vulnerability, he must send special HTTP headers to the server that appear to be much larger than usual.
Icecast is retained by the organization Xiph.org, and this is a service through which image and sound can be relayed. As it is available under free software licensing, and supports open communication standards, it is a fairly popular service primarily used to broadcast online radio stations.
In the last patch that has been released, the problem seems to have been resolved. Changelogs vulnerability is characterized as buffer overflow and affects 2.4.0 versions. 2.4.1, 2.4.2, and 2.4.3.
The security bug comes from snprintf that redirects the data output to a buffer. However, this mode of operation does not offer any security, and with certain techniques it can cause problems. Nick Rolfe from Semmle Security Research Team, reports that the snprintf function causes buffer overflow if the size argument is larger than the buffer size.
Vulnerability is no longer feasible, as 1 / 11 has released the Icecast 2.4.4. It has been codenamed CVE-2018-18820 and a proof of concept exploit has been published since October 16.