This should probably be added to the CD.
----- Original Message -----
From: "Luigi Auriemma" <aluigi@altervista.org>
To: <bugtraq@securityfocus.com>
Cc: <vulnwatch@vulnwatch.org>; <list@dshield.org>; <list@securiteam.com>
Sent: Monday, September 22, 2003 11:03 AM
Subject: SpeakFreely for Win <= 7.6a remote crash through malformed GIF
> #######################################################################
>
> Luigi Auriemma
>
> Application: SpeakFreely
> http://www.fourmilab.ch/speakfree/
> http://speak-freely.sourceforge.net
> Versions: <= 7.6a
> Platforms: Windows (Unix versions are NOT vulnerable)
> Bug: Remote crash caused by malformed GIF image
> Risk: Low/Medium
> Author: Luigi Auriemma
> e-mail: aluigi@altervista.org
> web: http://aluigi.altervista.org
>
>
> #######################################################################
>
>
> 1) Introduction
> 2) Bug
> 3) The Code
> 4) Fix
>
>
> #######################################################################
>
> ===============
> 1) Introduction
> ===============
>
>
> SpeakFreely is a very interesting real-time voice application with
> cryptographic support developed by John Walker and now the project will
> be continued on Sourceforge by a group of programmers and fans.
> The program is multiplatform, opensource and is also used as add-on of
> ICQ.
>
>
>
> #######################################################################
>
> ======
> 2) Bug
> ======
>
>
> SpeakFreely for Windows has a nice feature called "Show your face" that
> lets users to send an image (bmp and gif) to the others and it is
> enabled by default.
>
> Unfortunally in the program there is a "forgotten check", so if the
> function GlobalAlloc() fails there are no instruction to check its
> return value.
>
> The problem happens with GIF files that have a content (only the values
> "Image width" and "Image height" in the header, not the real content)
> too big or equal to zero and so they are unallocable in memory.
> The crash will happen when the program will try to use the pointer
> returned by the unchecked function.
>
> The following are 2 examples:
>
>
> A] 0000.gif
>
> 0000000: 4749 4638 3961 0000 0000 0000 002c 0000 GIF89a.......,..
> 0000010: 0000 0000 0000 00 .......
> | |
> Crash:
> :00416227 8A0439 mov al, byte ptr [ecx+edi]
> (ecx+edi is an unreacheable location)
>
>
>
>
> B] ffff.gif
>
> 0000000: 4749 4638 3961 0000 0000 0000 002c 0000 GIF89a.......,..
> 0000010: 0000 ffff ffff 00 .......
> | |
> Crash:
> 00415CF8 668910 mov word ptr [eax], dx
> (eax is 0)
>
>
>
>
> #######################################################################
>
>
> ===========
> 3) The Code
> ===========
>
>
> Step by step:
>
> A] You must create a custom GIF file manually (with a hex editor) or
> you can also use my small tool ("gifbug file.gif" or "gifbug -iw 0
> -ih 0 file.gif"):
>
> http://aluigi.altervista.org/testz/gifbug.zip
>
> B] Then you must select the malformed GIF from your SpeakFreely client
> (Options -> Show your face -> Browse)
>
> C] You must connect to the victim (Connection -> New)
>
> D] And then you need to talk or just to press the left mouse button on
> the dialog box appeared
>
> E] The victim should be crashed
>
>
>
> (NOTE: you can also wait an incoming connection and passively crashing
> the client)
>
>
>
> #######################################################################
>
> ======
> 4) Fix
> ======
>
>
> Disable the option "Show faces of other users" from the menu
> Options -> Show your face
>
>
>
> #######################################################################
>
>
>
> ---
> Luigi Auriemma
> http://aluigi.altervista.org
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH
