####################################################################### Luigi Auriemma Application: Ventrilo http://www.ventrilo.com Versions: <= 3.0.5 Platforms: Windows and Mac OSX Bug: access violation in the Speex codec Exploitation: remote, versus client (in-game through attacker client) Date: 10 Sep 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Ventrilo is a widely known and used VoIP software developed by Flagship Industries. It is used moreover for the online gaming. ####################################################################### ====== 2) Bug ====== In Ventrilo the choice of the codec to use is decided by the server and all the clients can use only the one allowed by the server. The base configuration of the server sets "GSM 6.10" as default codec with the quality "(11 KHz, 16 bit) 2210 bytes/sec" but often it's more used and even suggested the Speex codec which is also the one with more settings to choose. This choice is usually preferred because Speex works also on the Mac clients and the size of the packets is minor at same quality (almost one quarter of the GSM one). The problem is that Speex codec is used in a wrong way in Ventrilo so a malformed packet leads to various access violations which cause the crash of any client in the same room of the attacker or any client to which he tries to talk to. The attacker needs to have access to the server and its rooms for exploiting the vulnerability and the server must use the Speex codec ("forcing" the sending of the malformed Speex packets is useless). ####################################################################### =========== 3) The Code =========== The following is a patch to apply on a normal 3.0.5 client which converts it in a proof-of-concept that replaces the writing of the voice data in the packet with a "memset(packet, 0xff, size)": http://aluigi.org/mytoolz/lpatch.zip http://aluigi.org/poc/ventspeex.lpatch ####################################################################### ====== 4) Fix ====== No fix. #######################################################################