SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link 
Number Two Link Number Two  Link Number One Link Number One Link Number Two Link 
Number Two   
                          Entire Site Advisories Calendar Columnists Elsewhere 
                          Guest Feature Infocus Library Links Mailing Lists 
                          (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- 
                          FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- 
                          FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF 
                          NEWS -- VULN-DEV News Products Services Tools Vulns








             
             




                         BUGTRAQ ARCHIVE 

                        [ Message Index ] [ Thread Index ][ Reply ]
                        [ prev Msg by Date ][ next Msg by Date ]


                              To: BugTraq
                              Subject: SpeakFreely for Win <= 7.6a remote crash 
                              through malformed GIF
                              Date: Sep 22 2003 6:03PM
                              Author: Luigi Auriemma <aluigi altervista org>
                              Message-ID: 
                              <20030922180329.61565160.aluigi@altervista.org>


#######################################################################

                             Luigi Auriemma

Application: SpeakFreely
             http://www.fourmilab.ch/speakfree/
             http://speak-freely.sourceforge.net
Versions:    <= 7.6a
Platforms:   Windows (Unix versions are NOT vulnerable)
Bug:         Remote crash caused by malformed GIF image
Risk:        Low/Medium
Author:      Luigi Auriemma
             e-mail: aluigi altervista org
             web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SpeakFreely is a very interesting real-time voice application with
cryptographic support developed by John Walker and now the project will
be continued on Sourceforge by a group of programmers and fans.
The program is multiplatform, opensource and is also used as add-on of
ICQ.



#######################################################################

======
2) Bug
======


SpeakFreely for Windows has a nice feature called "Show your face" that
lets users to send an image (bmp and gif) to the others and it is
enabled by default.

Unfortunally in the program there is a "forgotten check", so if the
function GlobalAlloc() fails there are no instruction to check its
return value.

The problem happens with GIF files that have a content (only the values
"Image width" and "Image height" in the header, not the real content)
too big or equal to zero and so they are unallocable in memory.
The crash will happen when the program will try to use the pointer
returned by the unchecked function.

The following are 2 examples:


A] 0000.gif

0000000: 4749 4638 3961 0000 0000 0000 002c 0000  GIF89a.......,..
0000010: 0000 0000 0000 00                        .......
              |    |
Crash:
:00416227 8A0439                  mov al, byte ptr [ecx+edi]
(ecx+edi is an unreacheable location)




B] ffff.gif

0000000: 4749 4638 3961 0000 0000 0000 002c 0000  GIF89a.......,..
0000010: 0000 ffff ffff 00                        .......
              |    |
Crash:
00415CF8 668910                  mov word ptr [eax], dx
(eax is 0)




#######################################################################


===========
3) The Code
===========


Step by step:

A] You must create a custom GIF file manually (with a hex editor) or
   you can also use my small tool ("gifbug file.gif" or "gifbug -iw 0
   -ih 0 file.gif"):

   http://aluigi.altervista.org/testz/gifbug.zip

B] Then you must select the malformed GIF from your SpeakFreely client
   (Options -> Show your face -> Browse)

C] You must connect to the victim (Connection -> New)

D] And then you need to talk or just to press the left mouse button on
   the dialog box appeared

E] The victim should be crashed



(NOTE: you can also wait an incoming connection and passively crashing
the client)



#######################################################################

======
4) Fix
======


Disable the option "Show faces of other users" from the menu
Options -> Show your face



#######################################################################



--- 
Luigi Auriemma
http://aluigi.altervista.org







                  Want to link to this message? Use this URL: 
                  <http://www.securityfocus.com/archive/1/338464>
                  Disclaimer, Terms & Conditions


                  About this List


                  Featured Lists:

                  ARIS Users
                  bugtraq
                  bugtraq-es
                  bugtraq-french NEW
                  bugtraq-jp
                  firewalls
                  focus-ids
                  focus-ih
                  focus-linux
                  focus-ms
                  focus-sun
                  focus-unix-other
                  focus-virus
                  forensics
                  forensics-es
                  honeypots
                  incidents
                  libnet
                  pen-test
                  secevents
                  secpapers
                  secprog
                  sectools
                  secureshell
                  security-basics
                  security-management NEW
                  securityjobs
                  vpn
                  vuln-dev
                  webappsec

                  Newsletters:

                  sf-news
                  ms-secnews
                  linux-secnews


                  [ more . . . ]




                        Privacy Statement
                        Copyright © 1999-2003 SecurityFocus