SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VoIP)  >   Ventrilo Vendors:   Flagship Industries, Inc.
Ventrilo Service Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1014784
SecurityTracker URL:  http://securitytracker.com/id/1014784
CVE Reference:   CVE-2005-2719   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 24 2005
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.1.2 - 2.3.0
Description:   Luigi Auriemma reported a vulnerability was reported in Ventrilo. A remote user can cause the target service to crash.

A remote user can send a specially crafted UDP status query packet to the target service with less data than is specified in the query header to trigger a flaw in Ventrilo. The software does not properly handle this exception and may terminate.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/ventboom.zip

Impact:   A remote user can cause the target service to crash.
Solution:   No solution was available at the time of this entry.

The report indicates that, as a workaround, you can filter to reject UDP packets on the service port (3784 by default).

Vendor URL:  www.ventrilo.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Server crash in Ventrilo 2.3.0

#######################################################################

                             Luigi Auriemma

Application:  Ventrilo
              http://www.ventrilo.com
Versions:     <= 2.3.0 and >= 2.1.2
Platforms:    Windows (x86), Linux (x86), Solaris (SPARC), Solaris
              (x86), FreeBSD (x86), NetBSD (x86) and Mac OSX (PPC)
Bug:          forced exit or crash caused by malformed status packet
Exploitation: remote, versus server
Date:         23 Aug 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Ventrilo is a widely known and used VoIP software developed by Flagship
Industries.
It is used moreover for the online gaming.


#######################################################################

======
2) Bug
======


Other than the TCP port used for accepting clients the Ventrilo server
binds also the same UDP port for handling the status requests sent by
the people to get informations and details.

The problem is in the code that controls the status queries, in fact
exists a check for the handling of possible malformed data which 
interrupts the server when is received a packet with an amount of data
lower than how much specified in the header of the query.
For example a normal status query (command 1 with 16 bytes of data
reported in the status header) that doesn't contain data is able to
exploit this vulnerability.

In the log file of the Windows servers will be dumped the following
message:
  ERROR: ServerLoop exception detected. Aborting.

On other platforms (tested Linux x86) happens a crash in free().

Naturally is also possible to spoof the malformed packet for an
anonymous exploiting of the bug.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/ventboom.zip


#######################################################################

======
4) Fix
======


No fix.
On the vendor's website doesn't exist an e-mail address for reporting
bugs (support, info and bugs are unexistent) and the forum requires
registration so, probably, they don't want to be contacted...

The bug can be avoided by setting a filter in the firewall which
rejects the UDP packets versus the port bound by the status service
(3784 by default, it's the same port used for accepting clients).


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC