[Please upgrade if you use SpeakFreely on any platform -- Raju] [Attachment removed -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-Id: <[EMAIL PROTECTED]> From: Fozzy <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Full-Disclosure] Speak Freely <=7.5 multiple remote and local vulnerabilities (the Hackademy Audit) Date: Sat, 7 Jun 2003 04:46:36 +0200 --[ Summary ]-- Speak Freely is a free and open-sourced software used for efficient and secure (encrypted) voice communication over the Internet. It was written by John Walker, and runs on Windows and Unix. Homepage : http://www.fourmilab.ch/speakfree/ During a source code audit, the Hackademy staff has found multiple serious local and remote security holes in this software. --[ Details ]-- * At least three exploitable stack buffer overflows were found. A single UDP packet sent to either the data port(2074/udp) or the control port (2075/udp) can crash the sfspeaker program in a way suitable for running arbitrary supplied code. * Usage of temporary files is insecure, making possible for a malicious local user to overwrite with arbitrary data any file owned by the user running Speak Freely. * Speak Freely has a network feature allowing to send back the same UDP packet he received. Because the source IP of an UDP packet can be spoofed, there is a potential for relaying malicious packets into a protected network (NATed or firewalled) if a computer having access to this network is running Speak Freely. * There are also a few static buffer overflows, more difficult to exploit. --> The text attached to this advisory is taken from the file 'log.doc' in the tarball for Speak Freely 7.6-A2, which is immune to most of these issues. We also added some technical comments. Read this text for more details about the bugs we spotted and how they were adressed. --[ Impact ]-- A remote attacker, as well as a malicious local user, can execute arbitrary code on the system with the privileges of the user running Speak Freely. These are not theoretical issues : we wrote a functional PoC exploit for the ADPCM buffer overflow on Linux. --[ Vulnerable/Patched Versions ]-- Speak Freely 7.5 for Unix is vulnerable to all of these issues. Speak Freely 7.1 for Windows and Unix (and previous releases) are vulnerable to some of these issues. Speak Freely 7.6 is patched against most of these issues, and can be downloaded here : http://www.fourmilab.ch/speakfree/ --[ Greetings ]-- We'd like to thank John Walker for his commitment in taking these issues seriously and fixing them quickly. Thanks to uzy for helping with the remote tests. -- Fozzy The Hackademy School, Journal & Audit http://www.thehackademy.net/audit.php _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
