ventrilobotomy.txt

ventrilobotomy.txt: Posted Aug 13, 2008; Authored by Luigi Auriemma | Site aluigi.org; Ventrilo versions 3.0.2 and below suffer from a NULL pointer vulnerability that allows for denial of service.; tags | advisory, denial of service; SHA-256 | 4aa012c93d8278783849d1cb40a0e91f8f4f0a1fcd2d1347b4737d4282e2a064; Download | Favorite | View

ventrilobotomy.txt


#######################################################################

                             Luigi Auriemma

Application:  Ventrilo
              http://www.ventrilo.com
Versions:     <= 3.0.2
Platforms:    Windows, Linux i386, Solaris SPARC, Solaris x86, FreeBSD
              i386, NetBSD i386, Mac OSX PowerPC
Bug:          NULL pointer
Exploitation: remote, versus server
Date:         13 Aug 2008
Authors:      Andre Malm        Luigi Auriemma
              web: sheepa.org   e-mail: aluigi@autistici.org
                                web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Ventrilo is one of the most knwon and used voice chat softwares for
gamers.


#######################################################################

======
2) Bug
======


Despite the vice of the Ventrilo developers of changing the protocol of
their application enough often (like the recent senseless additional
encryption keys located on their centralized servers needed for the
handshake and the in-game packets of the 3.x servers), the first packet
sent to a Ventrilo server has ever the same format on any new and old
version: type 0, version and two random strings.

If the server receives a version string different than its one it sends
an "Incompatible version" error message to the client and skips the
instructions that create the random keys used for the encryption and
decryption of all the subsequent packets.

So if an attacker supplies an invalid version and sends another packet
with any content in it, the server crashes due to the key assigned for
the decryption of the client's packets which is still unitialized (in
fact the NULL pointer exception happens just in the decryption
function).


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ventrilobotomy.zip


#######################################################################

======
4) Fix
======


No official fix.

I have written an universal work-around which works with any version
and platform (SPARC and Mac OSX excluded) of the dedicated server:

  http://aluigi.org/patches/ventrilobotomyfix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Top Authors In Last 30 Days

Red Hat 308 files
Ubuntu 67 files
Debian 24 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

ventrilobotomy.txt

ventrilobotomy.txt

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ventrilobotomy.txt

Share This

ventrilobotomy.txt

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems