#######################################################################

                             Luigi Auriemma

Application: SpeakFreely
             http://www.fourmilab.ch/speakfree/
             http://speak-freely.sourceforge.net
Versions:    <= 7.6a
Platforms:   Windows (Unix versions are NOT vulnerable)
Bug:         Remote crash caused by multiple spoofed connections
Date:        22 Sep 2003
Author:      Luigi Auriemma
             e-mail: aluigi@autistici.org
             web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SpeakFreely is an interesting real-time voice chat application with
cryptographic support developed by John Walker and now the project will
be continued on Sourceforge by a group of programmers and fans.
The program is multiplatform, opensource and is also used as add-on of
ICQ.


#######################################################################

======
2) Bug
======


The bug exists only in the Windows version of the program (the project
at the moment is composed by 2 versions, one for Unix and another for
Windows).
Practically the resources of SpeakFreely can be easily consumed using
spoofed source IP addresses (the connections happen through UDP).

On Win98SE I have seen that less than 200 spoofed packets crash the
program remotely (about 160 packets exactly).

In fact after some packets, the following messages will be shown on the
victim:

"Cannot create transmit socket for host (x.x.x.x), error 10055.
No buffer space is available"

And then it will crash.


SpeakFreely has not a specific server and client; when it is launched
is both client and server at the same time, so everyone who uses the
Windows version can be DoSed by an attacker that has the ability to
send spoofed packets.

The important thing to fully complete the attack is its speed, however
are needed only 2 bytes for each packet so I think that this is not a
limit also on slow networks.


#######################################################################


===========
3) The Code
===========


Only for *nix:

http://aluigi.org/poc/sfdos.zip


#######################################################################

======
4) Fix
======


The project in this moment is in stall, so if it will be continued the
bug will be probably patched in the new version.


#######################################################################