SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: SpeakFreely for Win <= 7.6a spoofed DoS Date: Sep 22 2003 6:03PM Author: Luigi Auriemma Message-ID: <20030922180324.3be44ffc.aluigi@altervista.org> ####################################################################### Luigi Auriemma Application: SpeakFreely http://www.fourmilab.ch/speakfree/ http://speak-freely.sourceforge.net Versions: <= 7.6a Platforms: Windows (Unix versions are NOT vulnerable) Bug: Remote crash caused by multiple spoofed connections Risk: Low Author: Luigi Auriemma e-mail: aluigi altervista org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== SpeakFreely is an interesting real-time voice chat application with cryptographic support developed by John Walker and now the project will be continued on Sourceforge by a group of programmers and fans. The program is multiplatform, opensource and is also used as add-on of ICQ. ####################################################################### ====== 2) Bug ====== The bug exists only in the Windows version of the program (the project at the moment is composed by 2 versions, one for Unix and another for Windows). Practically the resources of SpeakFreely can be easily consumed using spoofed source IP addresses (the connections happen through UDP). On Win98SE I have seen that less than 200 spoofed packets crash the program remotely (about 160 packets exactly). In fact after some packets, the following messages will be shown on the victim: "Cannot create transmit socket for host (x.x.x.x), error 10055. No buffer space is available" And then it will crash. SpeakFreely has not a specific server and client; when it is launched is both client and server at the same time, so everyone who uses the Windows version can be DoSed by an attacker that has the ability to send spoofed packets. The important thing to fully complete the attack is its speed, however are needed only 2 bytes for each packet so I think that this is not a limit also on slow networks. ####################################################################### =========== 3) The Code =========== Only for *nix: http://aluigi.altervista.org/poc/sfdos.zip ####################################################################### ====== 4) Fix ====== The project in this moment is in stall, so if it will be continued the bug will be probably patched in the new version. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus