Document Title: =============== Ventrilo v3.0.5 v3.0.4 - Stack Buffer Overflow Vulnerability Release Date: ============= 2011-07-22 Vulnerability Laboratory ID (VL-ID): ==================================== 98 Product & Service Introduction: =============================== Ventrilo 3.0.0 is the next evolutionary step of Voice over IP (VoIP) group communications software. Ventrilo is also the industry standard by which all others measure themselves as they attempt to imitate its features. By offering surround sound positioning and special sound effects on a per user, per channel, per server or global configuration level the program provides each user the option to fully customize exactly how they wish to hear sounds from other users or events. Ventrilo is best known for it s superior sound quality and minimal use of CPU resources so as not to interfere with day to day operations of the computer or during online game competitions. It is also preferred for the simple user interface that any first time computer user can very quickly learn because the most commonly used features are immediately visible and can be activated with a single click of the mouse. To see what the program looks like and a list of some of the many features the program offers please click on the About link in the navigation menu. The Ventrilo Client and Server programs are copyright 1999-2007 by Flagship Industries, Inc. Ventrilo is a Trademark of Flagship Industries, Inc. (Copy of the Vendor Homepage: http://www.ventrilo.com/) Abstract Advisory Information: ============================== Vulnerability Lab Team discovered a Stack Buffer-Overflow Vulnerability on Ventrilo Voice over IP Software. Vulnerability Disclosure Timeline: ================================== 2011-00-00: Vendor Notification 2011-00-00: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2011-00-00: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A stack buffer overflow is detected in the phonetics module on Ventrilo VoiP Clients. A potential attacker can crash the local running voip service with an overflow in the phonetic include function. --- Exception Logs --- Problemereignisame: BEX Anwendungsname: Ventrilo.exe Anwendungsversion: 3.0.5.0 Anwendungszeitstempel: 49efce51 Fehlermodulname: Ventrilo.exe Fehlermodulversion: 3.0.5.0 Fehlermodulzeitstempel: 49efce51 Ausnahmeoffset: 00410041 Ausnahmecode: c0000409 Ausnahmedaten: 00000000 Betriebsystemversion: 6.0.6002.2.2.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: ea0d Zusatzinformation 2: 9ab2e670078714c86d4dc436292205d9 Zusatzinformation 3: f7e9 Zusatzinformation 4: f3ac18af8def4e1b6d7368386159bb0c Reproduced: 7 Times Pictures: ../ventrilo1.png ../ventrilo2.png ../ventrilo3.png ../ventrilo4.png Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers. For demonstration or reproducement ... Local: Include a over-sized string in the phonetic function and click on play to hear the preview. The client crashes with a buffer overflow and can be used to escalate with the running process. Remote: Include the over-sized string in the phonetic & startup a server, click on a user profile and play the phonetic via remote connection. After execution, the client crashs with stack based buffer overflow. Solution - Fix & Patch: ======================= Set a specific restriction as maximum size for any included phonetic. Security Risk: ============== The security risk of the Buffer Overflow Vulnerability is estimated as high. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory