The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Ventrilo Denial of Service
------------------------------------------------------------------------
SUMMARY
" <http://www.ventrilo.com/> Ventrilo is a widely known and used VoIP
software developed by Flagship Industries."
Lack of proper packet handling within Ventrilo allow attackers to crash
the program and cause a DoS.
DETAILS
Vulnerable Systems:
* Ventrilo version 2.3.0
Other than the TCP port used for accepting clients the Ventrilo server
binds also the same UDP port for handling the status requests sent by the
people to get informations and details.
The problem is in the code that controls the status queries, in fact
exists a check for the handling of possible malformed data which
interrupts the server when is received a packet with an amount of data
lower than how much specified in the header of the query.
For example a normal status query (command 1 with 16 bytes of data
reported in the status header) that doesn't contain data is able to
exploit this vulnerability.
In the log file of the Windows servers will be dumped the following
message:
ERROR: ServerLoop exception detected. Aborting.
On other platforms (tested Linux x86) happens a crash in free().
Naturally is also possible to spoof the malformed packet for an anonymous
exploiting of the bug.
Exploit:
winerr.h can be found at:
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html
ventrilo_udp.h:
/*
Ventrilo UDP status algorithm 0.1
by Luigi Auriemma
e-mail: aluigi at autistici.org
web: http://aluigi.altervista.org
INTRODUCTION
-===========
This algorithm is the method used by the chat program Ventrilo
(http://www.ventrilo.com) for encoding the UDP packets used to get
the status informations.
FUNCTIONS
-========
struct ventrilo_udp_head
void ventrilo_udp_head_dec(unsigned char *data)
void ventrilo_udp_head_enc(unsigned char *data)
void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short
key)
unsigned short ventrilo_udp_data_enc(unsigned char *data, int len)
unsigned short ventrilo_udp_crc(unsigned char *data, int len)
USAGE EXAMPLE
-============
Watch my "Ventrilo status retriever" code for a simple and practical
example:
http://aluigi.altervista.org/papers/ventstat.zip
LICENSE
-======
Copyright 2005 Luigi Auriemma
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
http://www.gnu.org/licenses/gpl.txt
*/
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#define VENTRILO_RAND clock()
#else
#include <netinet/in.h>
#include <sys/times.h>
#define VENTRILO_RAND times(0)
No comments:
Post a Comment