NULL pointer in Ventrilo 3.0.2

2008.08.15
Credit: Luigi Auriemma
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-3680
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Ventrilo http://www.ventrilo.com Versions: <= 3.0.2 Platforms: Windows, Linux i386, Solaris SPARC, Solaris x86, FreeBSD i386, NetBSD i386, Mac OSX PowerPC Bug: NULL pointer Exploitation: remote, versus server Date: 13 Aug 2008 Authors: Andre Malm Luigi Auriemma web: sheepa.org e-mail: aluigi_at_autistici&#46;org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Ventrilo is one of the most knwon and used voice chat softwares for gamers. ####################################################################### ====== 2) Bug ====== Despite the vice of the Ventrilo developers of changing the protocol of their application enough often (like the recent senseless additional encryption keys located on their centralized servers needed for the handshake and the in-game packets of the 3.x servers), the first packet sent to a Ventrilo server has ever the same format on any new and old version: type 0, version and two random strings. If the server receives a version string different than its one it sends an "Incompatible version" error message to the client and skips the instructions that create the random keys used for the encryption and decryption of all the subsequent packets. So if an attacker supplies an invalid version and sends another packet with any content in it, the server crashes due to the key assigned for the decryption of the client's packets which is still unitialized (in fact the NULL pointer exception happens just in the decryption function). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ventrilobotomy.zip ####################################################################### ====== 4) Fix ====== No official fix. I have written an universal work-around which works with any version and platform (SPARC and Mac OSX excluded) of the dedicated server: http://aluigi.org/patches/ventrilobotomyfix.zip ####################################################################### --- Luigi Auriemma http://aluigi.org

References:

http://www.securityfocus.com/bid/30675
http://www.securityfocus.com/archive/1/archive/1/495448/100/0/threaded
http://secunia.com/advisories/31466
http://aluigi.org/poc/ventrilobotomy.zip
http://aluigi.altervista.org/adv/ventrilobotomy-adv.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top