lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050823202217.7791831f.aluigi@autistici.org>
Date: Tue, 23 Aug 2005 20:22:17 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com
Subject: Server crash in Ventrilo 2.3.0



#######################################################################

                             Luigi Auriemma

Application:  Ventrilo
              http://www.ventrilo.com
Versions:     <= 2.3.0 and >= 2.1.2
Platforms:    Windows (x86), Linux (x86), Solaris (SPARC), Solaris
              (x86), FreeBSD (x86), NetBSD (x86) and Mac OSX (PPC)
Bug:          forced exit or crash caused by malformed status packet
Exploitation: remote, versus server
Date:         23 Aug 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Ventrilo is a widely known and used VoIP software developed by Flagship
Industries.
It is used moreover for the online gaming.


#######################################################################

======
2) Bug
======


Other than the TCP port used for accepting clients the Ventrilo server
binds also the same UDP port for handling the status requests sent by
the people to get informations and details.

The problem is in the code that controls the status queries, in fact
exists a check for the handling of possible malformed data which 
interrupts the server when is received a packet with an amount of data
lower than how much specified in the header of the query.
For example a normal status query (command 1 with 16 bytes of data
reported in the status header) that doesn't contain data is able to
exploit this vulnerability.

In the log file of the Windows servers will be dumped the following
message:
  ERROR: ServerLoop exception detected. Aborting.

On other platforms (tested Linux x86) happens a crash in free().

Naturally is also possible to spoof the malformed packet for an
anonymous exploiting of the bug.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/ventboom.zip


#######################################################################

======
4) Fix
======


No fix.
On the vendor's website doesn't exist an e-mail address for reporting
bugs (support, info and bugs are unexistent) and the forum requires
registration so, probably, they don't want to be contacted...

The bug can be avoided by setting a filter in the firewall which
rejects the UDP packets versus the port bound by the status service
(3784 by default, it's the same port used for accepting clients).


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ