####################################################################### Luigi Auriemma Application: PulseAudio http://www.pulseaudio.org Versions: 0.9.5 (svn 1437) Platforms: POSIX and Win32 Bugs: termination of the server through failed assert() Exploitation: local and remote Date: 29 Mar 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the website: "PulseAudio, previously known as Polypaudio, is a sound server for POSIX and Win32 systems. A sound server is basically a proxy for your sound applications. It allows you to do advanced operations on your sound data as it passes between your application and your hardware. Things like transferring the audio to a different machine, changing the sample format or channel count and mixing several sounds into one are easily achieved using a sound server." ####################################################################### ======= 2) Bugs ======= The PulseAudio server can be interrupted from both remote and local users through invalid parameters. That happens due to usage of the function assert() which terminates the process when a specific condition is not met, for example if the client wants to send an amount of data equal to zero. Exist at least three ways for stopping a remote server from unauthenticated connections. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/pulsex.zip ####################################################################### ====== 4) Fix ====== The problems will be solved in the next release. #######################################################################