lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 22 Sep 2003 18:03:24 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Cc: vulnwatch@...nwatch.org, list@...ield.org, list@...uriteam.com
Subject: SpeakFreely for Win <= 7.6a spoofed DoS


#######################################################################

                             Luigi Auriemma

Application: SpeakFreely
             http://www.fourmilab.ch/speakfree/
             http://speak-freely.sourceforge.net
Versions:    <= 7.6a
Platforms:   Windows (Unix versions are NOT vulnerable)
Bug:         Remote crash caused by multiple spoofed connections
Risk:        Low
Author:      Luigi Auriemma
             e-mail: aluigi@...ervista.org
             web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SpeakFreely is an interesting real-time voice chat application with
cryptographic support developed by John Walker and now the project will
be continued on Sourceforge by a group of programmers and fans.
The program is multiplatform, opensource and is also used as add-on of
ICQ.



#######################################################################

======
2) Bug
======


The bug exists only in the Windows version of the program (the project
at the moment is composed by 2 versions, one for Unix and another for
Windows).
Practically the resources of SpeakFreely can be easily consumed using
spoofed source IP addresses (the connections happen through UDP).

On Win98SE I have seen that less than 200 spoofed packets crash the
program remotely (about 160 packets exactly).

In fact after some packets, the following messages will be shown on the
victim:

"Cannot create transmit socket for host (x.x.x.x), error 10055.
No buffer space is available"

And then it will crash.


SpeakFreely has not a specific server and client; when it is launched
is both client and server at the same time, so everyone who uses the
Windows version can be DoSed by an attacker that has the ability to
send spoofed packets.

The important thing to fully complete the attack is its speed, however
are needed only 2 bytes for each packet so I think that this is not a
limit also on slow networks.




#######################################################################


===========
3) The Code
===========


Only for *nix:

http://aluigi.altervista.org/poc/sfdos.zip



#######################################################################

======
4) Fix
======


The project in this moment is in stall, so if it will be continued the
bug will be probably patched in the new version.



#######################################################################



--- 
Luigi Auriemma
http://aluigi.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ