Server crash in Ventrilo 2.3.0
#######################################################################
Luigi Auriemma
Application: Ventrilo
http://www.ventrilo.com
Versions: <= 2.3.0 and >= 2.1.2
Platforms: Windows (x86), Linux (x86), Solaris (SPARC), Solaris
(x86), FreeBSD (x86), NetBSD (x86) and Mac OSX (PPC)
Bug: forced exit or crash caused by malformed status packet
Exploitation: remote, versus server
Date: 23 Aug 2005
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Ventrilo is a widely known and used VoIP software developed by Flagship
Industries.
It is used moreover for the online gaming.
#######################################################################
======
2) Bug
======
Other than the TCP port used for accepting clients the Ventrilo server
binds also the same UDP port for handling the status requests sent by
the people to get informations and details.
The problem is in the code that controls the status queries, in fact
exists a check for the handling of possible malformed data which
interrupts the server when is received a packet with an amount of data
lower than how much specified in the header of the query.
For example a normal status query (command 1 with 16 bytes of data
reported in the status header) that doesn't contain data is able to
exploit this vulnerability.
In the log file of the Windows servers will be dumped the following
message:
ERROR: ServerLoop exception detected. Aborting.
On other platforms (tested Linux x86) happens a crash in free().
Naturally is also possible to spoof the malformed packet for an
anonymous exploiting of the bug.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/ventboom.zip
#######################################################################
======
4) Fix
======
No fix.
On the vendor's website doesn't exist an e-mail address for reporting
bugs (support, info and bugs are unexistent) and the forum requires
registration so, probably, they don't want to be contacted...
The bug can be avoided by setting a filter in the firewall which
rejects the UDP packets versus the port bound by the status service
(3784 by default, it's the same port used for accepting clients).
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org