####################################################################### Luigi Auriemma Application: I Hear U http://ihu.sourceforge.net Versions: <= 0.5.6 Platforms: Linux Bugs: A] endless loop caused by packet size value equal to 0 B] crash caused by unitialized values in ring() Exploitation: remote versus the application in waiting call mode Date: 20 Nov 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== I Hear U (IHU) is an easy to use Voip application for Linux. ####################################################################### ======= 2) Bugs ======= ------------------------------------------------------ A] endless loop caused by packet size value equal to 0 ------------------------------------------------------ An endless loop in Receiver::processPacket can be exploited through the usage of a packet size value equal to zero (the 4th byte in the packet's header after the "IHU" sign). ----------------------------------------------- B] crash caused by unitialized values in ring() ----------------------------------------------- An attacker can crash the remote application simply sending the IHU_INFO_INIT or the IHU_INFO_RING packet without specifying the mode forcing the program to call the Player::ring() function without the proper initialization of ring_buffer and frame_size (pointed by buffer and frames). From Player.cpp: void Player::ring(short *buffer, int frames) { float floatBuffer[frames]; for(i=0;i