####################################################################### Luigi Auriemma Application: Ventrilo http://www.ventrilo.com Versions: <= 2.3.0 and >= 2.1.2 Platforms: Windows (x86), Linux (x86), Solaris (SPARC), Solaris (x86), FreeBSD (x86), NetBSD (x86) and Mac OSX (PPC) Bug: forced exit or crash caused by malformed status packet Exploitation: remote, versus server Date: 23 Aug 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Ventrilo is a widely known and used VoIP software developed by Flagship Industries. It is used moreover for the online gaming. ####################################################################### ====== 2) Bug ====== Other than the TCP port used for accepting clients the Ventrilo server binds also the same UDP port for handling the status requests sent by the people to get informations and details. The problem is in the code that controls the status queries, in fact exists a check for the handling of possible malformed data which interrupts the server when is received a packet with an amount of data lower than how much specified in the header of the query. For example a normal status query (command 1 with 16 bytes of data reported in the status header) that doesn't contain data is able to exploit this vulnerability. In the log file of the Windows servers will be dumped the following message: ERROR: ServerLoop exception detected. Aborting. On other platforms (tested Linux x86) happens a crash in free(). Naturally is also possible to spoof the malformed packet for an anonymous exploiting of the bug. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ventboom.zip ####################################################################### ====== 4) Fix ====== No fix. On the vendor's website doesn't exist an e-mail address for reporting bugs (support, info and bugs are unexistent) and the forum requires registration so, probably, they don't want to be contacted... The bug can be avoided by setting a filter in the firewall which rejects the UDP packets versus the port bound by the status service (3784 by default, it's the same port used for accepting clients). #######################################################################