Arbitrary file read vulnerability in Shoutcast server <= 1.9.5.


SHOUTcast is Nullsoft's Free Winamp-based distributed streaming audio system. Thousands of broadcasters around the world are waiting for you to tune in and listen. It is available for multiple platforms, including Linux and MS Windows. According to the statistics on the webpage, there are more than 10.000 servers running this technology. More information can be found at


Shoutcast server 1.9.5 (the latest available version) is vulnerable, older version weren't tested but they are most likely also vulnerable. Moreover, as the older versions had their own known bugs (as can be seen from the version history of the product), it seems reasonable to assume that they make up just a tiny fraction of the installed servers.


Impact of the vulnerability depends on the way the product was installed. In general, the vulnerability allows the attacker to read any file which can be read by the Shoutcast server process.

Although most installation guides for Shoutcast for Linux recommend running it under non-privileged user, there is a notable exception -- Gentoo Linux -- where the Shoutcast server (media-sound/shoutcast-server-bin package) runs by default with root privileges (unless the user explicitly modifies the way it is executed). Thus, on Gentoo Linux, the attacker gets read access to (almost) any sensitive piece of information, including /etc/shadow, sources of PHP scripts, *SQL tables, logs, ...

Microsoft Windows users are affected as well, although it seems that only files on the same logical drive can be accessed using this vulnerability.


The Shoutcast server listens for requests on port 8000 (default; can be set by "PortBase" in the configuration file). The syntax of the requests is similar to HTTP GET requests (e.g. "GET /path"). If the requested path begins with "/content", the request is considered to be a request for so-called "on-demand" content -- i.e. the client wants to listen to a specific file, usually an MP3 file stored on the server.

The parsing code for this type of request performs two tasks:

The problem is that these two operations are performed in wrong order... As a consequence, it is possible to evade BOTH the filtering of forbidden characters AND the required suffix.

Example request can be obtained by:
echo -e "GET /content/%2E./.%2E/%2E%2E/etc/passwd%00.mp3\n"
(for Gentoo Linux, three dot-dot's usually suffice, as Shoutcast is by default installed in /opt/shoutcast).


Run the server by an user with limited privileges and/or in chroot jail. Detection for the exploit is semi-straightforward, one has to look for "GET" in the first line, followed by "/content", translate the %XX sequences into characters and scan the resulting string for usual directory-traversal sequences. Depending on the used IDS, this might be easy or tricky.


The authors provided updated version of Shoucast server (1.9.6), which shouldn't be vulnerable to the issue described above. Unfortunately, it IS vulnerable to a slightly modified attack. Version 1.9.7 is safe from both the original and the modified attacks.


2006-06-??: Looking (without success) for security contact at Nullsoft.
2006-06-13: Gentoo security team contacted.
2006-06-14: Gentoo security team responded.
2006-06-??: Contact at Nullsoft found and notified.
2006-06-19: Nullsoft released updated version (1.9.6) for Windows.
2006-06-22: Nullsoft released updated version (1.9.6) for other platforms.
2006-06-22: The fix has been found to be flawed, vendor notified again.
2006-06-23: Nullsoft released updated version (1.9.7), vulnerability gone.
2006-07-09: Gentoo issued GLSA and updated packaged for the vulnerability.