#######################################################################

                             Luigi Auriemma

Application:  Ventrilo
              http://www.ventrilo.com
Versions:     <= 3.0.5
Platforms:    Windows and Mac OSX
Bug:          memset overflow
Exploitation: remote, versus client (in-game through attacker client)
Date:         08 Sep 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Ventrilo is a widely known and used VoIP software developed by Flagship
Industries.
It is used moreover for the online gaming.


#######################################################################

======
2) Bug
======


The voice packets received by the Ventrilo server are simply forwared
to all the other clients without much modifications.
They are composed by a 32bit field which specified the amount of
compressed voice data in the packet followed by another 32bit field
which reports the uncompressed length.

When the client receives the voice packet (the one forwared by the
server) it takes that second field, allocates that size less 1152 bytes
in memory and then performs a memset(new_buffer, 0, size - 8).

The result is that a client attacker can crash any other client except
himself inside a room simply sending a voice packet (voice activation
or push-to-talk) with a too big "uncompressed data length" field.

The attacker needs to have access to the server and its rooms for
exploiting the vulnerability.


#######################################################################

===========
3) The Code
===========


The following is a patch to apply on a normal 3.0.5 client which
converts it in a proof-of-concept that automatically place a 0xffffffff
in that field of any outgoing voice packet:

  http://aluigi.org/mytoolz/lpatch.zip
  http://aluigi.org/poc/ventrilomemset.lpatch


#######################################################################

======
4) Fix
======


No fix.


#######################################################################