[MLB-WIRELESS] [Fwd: [Full-Disclosure] Speak Freely <=7.5 multiple remote and local vulnerabilities (the Hackademy Audit)]

Andrew Griffiths andrewg at d2.net.au
Sun Jun 8 16:27:19 EST 2003 

Some people here seem run/like this piece of software, so I'm guessing 
this is interesting for them.


-------- Original Message --------
Subject: [Full-Disclosure] Speak Freely <=7.5 multiple remote and local 
vulnerabilities (the Hackademy Audit)
Date: Sat, 7 Jun 2003 04:46:36 +0200
From: Fozzy <fozzy at dmpfrance.com>
Organization: The Hackademy School & Journal
To: bugtraq at securityfocus.com, full-disclosure at lists.netsys.com


--[ Summary ]--

Speak Freely is a free and open-sourced software used for efficient and
secure (encrypted) voice communication over the Internet. It was written
by John Walker, and runs on Windows and Unix. Homepage :
http://www.fourmilab.ch/speakfree/

During a source code audit, the Hackademy staff has found multiple
serious local and remote security holes in this software.


--[ Details ]--

* At least three exploitable stack buffer overflows were found. A single
UDP packet sent to either the data port(2074/udp) or the control port
(2075/udp) can crash the sfspeaker program in a way suitable for running
arbitrary supplied code.

* Usage of temporary files is insecure, making possible for a malicious
local user to overwrite with arbitrary data any file owned by the user
running Speak Freely.

* Speak Freely has a network feature allowing to send back the same UDP
packet he received. Because the source IP of an UDP packet can be
spoofed, there is a potential for relaying malicious packets into a
protected network (NATed or firewalled) if a computer having access to
this network is running Speak Freely.

* There are also a few static buffer overflows, more difficult to exploit.


--> The text attached to this advisory is taken from the file 'log.doc'
in the tarball for Speak Freely 7.6-A2, which is immune to most of these
issues. We also added some technical comments. Read this text for more
details about the bugs we spotted and how they were adressed.


--[ Impact ]--

A remote attacker, as well as a malicious local user, can execute
arbitrary code on the system with the privileges of the user running
Speak Freely.
These are not theoretical issues : we wrote a functional PoC exploit for
the ADPCM buffer overflow on Linux.


--[ Vulnerable/Patched Versions ]--

Speak Freely 7.5 for Unix is vulnerable to all of these issues.
Speak Freely 7.1 for Windows and Unix (and previous releases) are
vulnerable to some of these issues.

Speak Freely 7.6 is patched against most of these issues, and can be
downloaded here :
http://www.fourmilab.ch/speakfree/


--[ Greetings ]--

We'd like to thank John Walker for his commitment in taking these issues
seriously and fixing them quickly.
Thanks to uzy for helping with the remote tests.


-- Fozzy

The Hackademy School, Journal & Audit
http://www.thehackademy.net/audit.php




-- 
<Kahless> geez, u climb the highest mountain, netstumble the highest 
mast, but
you suck one cock........
<Clonefish> No thanks
<Kahless> hey, it wasn't an invitation........
<RokLobsta> or you help luigi build his house, guiseppe to get his business
going and you save the town from a meteor, but you fuck one goat....
<Kahless> that's the one
<Clonefish> Mmmmkay.....
<swarm> um
<swarm> next topic plz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: speakfreely_advisory_atttachement.txt
Type: application/octet-stream
Size: 6624 bytes
Desc: not available
URL: <http://lists.wireless.org.au/pipermail/melbwireless/attachments/20030608/46d7dbf2/attachment.obj>

More information about the Melbwireless mailing list