Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: bt376.txt

Speak Freely <=7.5 multiple remote and local vulnerabilities (theHackademy Audit)





--Multipart_Sat__7_Jun_2003_04:46:36_+0200_0871aae0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


--[ Summary ]--

Speak Freely is a free and open-sourced software used for efficient and
secure (encrypted) voice communication over the Internet. It was written
by John Walker, and runs on Windows and Unix. Homepage :
http://www.fourmilab.ch/speakfree/

During a source code audit, the Hackademy staff has found multiple
serious local and remote security holes in this software.


--[ Details ]--

* At least three exploitable stack buffer overflows were found. A single
UDP packet sent to either the data port(2074/udp) or the control port
(2075/udp) can crash the sfspeaker program in a way suitable for running
arbitrary supplied code.

* Usage of temporary files is insecure, making possible for a malicious
local user to overwrite with arbitrary data any file owned by the user
running Speak Freely.

* Speak Freely has a network feature allowing to send back the same UDP
packet he received. Because the source IP of an UDP packet can be
spoofed, there is a potential for relaying malicious packets into a
protected network (NATed or firewalled) if a computer having access to
this network is running Speak Freely.

* There are also a few static buffer overflows, more difficult to exploit.


--> The text attached to this advisory is taken from the file 'log.doc'
in the tarball for Speak Freely 7.6-A2, which is immune to most of these
issues. We also added some technical comments. Read this text for more
details about the bugs we spotted and how they were adressed.


--[ Impact ]--

A remote attacker, as well as a malicious local user, can execute
arbitrary code on the system with the privileges of the user running
Speak Freely.
These are not theoretical issues : we wrote a functional PoC exploit for
the ADPCM buffer overflow on Linux.


--[ Vulnerable/Patched Versions ]--

Speak Freely 7.5 for Unix is vulnerable to all of these issues.
Speak Freely 7.1 for Windows and Unix (and previous releases) are
vulnerable to some of these issues.

Speak Freely 7.6 is patched against most of these issues, and can be
downloaded here :
http://www.fourmilab.ch/speakfree/


--[ Greetings ]--

We'd like to thank John Walker for his commitment in taking these issues
seriously and fixing them quickly.
Thanks to uzy for helping with the remote tests.


-- Fozzy

The Hackademy School, Journal & Audit
http://www.thehackademy.net/audit.php



--Multipart_Sat__7_Jun_2003_04:46:36_+0200_0871aae0
Content-Type: application/octet-stream;
 name="speakfreely_advisory_atttachement.txt"
Content-Disposition: attachment;
 filename="speakfreely_advisory_atttachement.txt"
Content-Transfer-Encoding: base64

MjAwMyBNYXJjaCAyCgpBZGRlZCBhZGRpdGlvbmFsIGJ1bGxldC1wcm9vZmluZyB0byB0aGUgYXVk
aW8gcGFja2V0CmRlY29tcHJlc3Npb24gcGVyZm9ybWVkIGJ5IHBsYXlidWZmZXIoKSBpbiBzcGVh
a2VyLmMuCkJlZm9yZSBlbnRlcmluZyB0aGUgZGVjb21wcmVzc2lvbiBjb2RlLCBhIGNoZWNrIGlz
IG1hZGUKZm9yIG1vcmUgdGhhbiBvbmUgc3VwcG9zZWRseSBtdXR1YWxseS1leGNsdXNpdmUgY29t
cHJlc3Npb24KbW9kZSBiZWluZyBzZXQuICBJZiB0aGF0IHBhc3NlcywgZm9yIGVhY2gga2luZCBv
ZgpkZWNvbXByZXNzaW9uLCB0aGUgY29tcHJlc3NlZCBsZW5ndGggaXMgY2hlY2tlZCBhZ2FpbnN0
CnRoZSBtYXhpbXVtIGV2ZXIgZXhwZWN0ZWQgKHdoaWNoIGlzIGd1YXJhbnRlZWQgbm90IHRvCm92
ZXJmbG93IHRoZSBkZWNvZGUgYnVmZmVyKSBhbmQsIHdoZXJlIGFwcHJvcHJpYXRlLCB0aGF0CnRo
ZSBjb21wcmVzc2VkIGRhdGEgaXMgYW4gZXZlbiBudW1iZXIgb2YgY29tcHJlc3Npb24KZnJhbWVz
LiAgRmFpbGluZyBhbnkgb2YgdGhlc2UgdGVzdHMgcHJpbnRzIGEgbWVzc2FnZSBvbgpzdGFuZGFy
ZCBlcnJvciB3aGljaCBpZGVudGlmaWVzIHRoZSBzZW5kaW5nIGhvc3QgYW5kIHRoZQpuYXR1cmUg
b2YgdGhlIGVycm9yIGFuZCBkaXNjYXJkcyB0aGUgcGFja2V0LiAgVGhpcwpjb3JyZWN0cyB0aGUg
QURQQ00gYnVmZmVyIG92ZXJmbG93IGV4cGxvaXQgcmVwb3J0ZWQgYnkKdGhlIEhhY2thZGVteSBB
dWRpdCAoaHR0cDovL3d3dy50aGVoYWNrYWRlbXkubmV0L2F1ZGl0LnBocCkuCgpbIFRoZSBidWZm
ZXIgbGVuZ3RoIGlzIDUxMioyIGJ5dGVzLCBob3dldmVyIHRoZQpyZWNlaXZlZCBwYWNrZXQgY2Fu
IGJlIGxvbmdlciwgYW5kIHdpbGwgYmUgZXhwYW5kZWQgYnkgdHdpY2UKaXRzIHNpemUgaW50byB0
aGUgYnVmZmVyIGJ5IHRoZSBBRFBDTSBkZWNvbXByZXNzaW9uIHJvdXRpbmUgXQoKCjIwMDMgTWFy
Y2ggMwoKQXMgZGlzY292ZXJlZCBpbiB0aGUgSGFja2FkZW15IEF1ZGl0LCB3aGVuIFBHUCBrZXkg
ZXhjaGFuZ2UKd2FzIHVzZWQsIHNwZWFrZXIuYyBjcmVhdGVkIGEgdGVtcG9yYXJ5IGZpbGUgaW4g
L3RtcCB3aGljaCBjb3VsZApwb3RlbnRpYWxseSBiZSBleHBsb2l0ZWQgYnkgYSByYWNlIGNvbmRp
dGlvbiB2aWEgYSBzeW1ib2xpYwpsaW5rIHRvIG92ZXJ3cml0ZSBhbm90aGVyIGZpbGUgb3IsIGlm
IHRoZSB1c2VyJ3MgdW1hc2soKSB3YXMKc2V0IGluc2VjdXJlbHksIGJlIHJlYWQgYnkgYSB0aGly
ZCBwYXJ0eSBvbiB0aGUgbG9jYWwgc3lzdGVtLApjb21wcm9taXNpbmcgdGhlIGtleS4gIEkgYWRk
ZWQgc2VjdXJlIHRlbXBvcmFyeSBmaWxlCmNyZWF0aW9uIHJvdXRpbmVzIGluIHRoZSBuZXcgZmls
ZSB0ZW1wZmlsZS5jLCBiYXNlZCBvbgphIG1vZGlmaWVkIHZlcnNpb24gb2YgdGhlIGNvZGUgZ2l2
ZW4gaW46CgpodHRwOi8vd3d3LmR3aGVlbGVyLmNvbS9zZWN1cmUtcHJvZ3JhbXMvU2VjdXJlLVBy
b2dyYW1zLUhPV1RPL2F2b2lkLXJhY2UuaHRtbAoKd2hpY2ggYWRkcyB0aGUgYWJpbGl0eSB0byBs
ZWF2ZSB0aGUgZmlsZSB0byBiZSB1bmxpbmtlZCBsYXRlcgpieSB0aGUgY2FsbGVyIGFuZCB0byBy
ZXRyaWV2ZSB0aGUgZnVsbCBwYXRoIG5hbWUgYXMgZ2VuZXJhdGVkCmZyb20gdGhlIGVudmlyb25t
ZW50IHZhcmlhYmxlcyBUTVBESVIgb3IgVE1QLiAgSSBtb2RpZmllZAp0aGUgY29kZSB3aGljaCBp
bnZva2VzIFBHUCB0byBleGNoYW5nZSB0aGUgc2Vzc2lvbiBrZXkgdG8gdXNlCnRoaXMgbmV3IGNy
ZWF0ZV90ZW1wZmlsZV9pbl90ZW1wZGlyKCksIGtlZXBpbmcgdGhlIGZpbGUgb3Blbgp1bnRpbCBp
dCdzIGJlZW4gcHJvY2Vzc2VkIGJ5IFBHUCwgcHJldmVudGluZyBhICJqdW1wLWluIgpyYWNlIGNv
bmRpdGlvbi4gIFNpbmNlIHRoZSB1bWFzaygpIG9mIHRoZSBmaWxlIGlzIGZvcmNlZCB0byAwNzcs
CnRoZSBjb250ZW50cyBvZiB0aGUgZmlsZSBzaG91bGQgYmUgc2VjdXJlIGFnYWluc3QgYW55Ym9k
eSBvdGhlcgp0aGFuIHRoZSBzdXBlci11c2VyLgoKVGhlIHNhbWUgdGVtcG9yYXJ5IGZpbGUgcmlz
ayBleGlzdGVkIGZvciB0aGUgZmlsZXMgaW4gd2hpY2gKZmFjZSBkYXRhIHdlcmUgc2F2ZWQgZm9y
IGRpc3BsYXkgd2l0aCB0aGUgZXh0ZXJuYWwgdmlld2VyIHByb2dyYW0uCkkgbW9kaWZpZWQgdGhl
IGZhY2UgZGlzcGxheSBjb2RlIGluIHNwZWFrZXIuYyB0byB1c2UKY3JlYXRlX3RlbXBmaWxlX2lu
X3RlbXBkaXIoKSwga2VlcCB0aGUgZmFjZSBmaWxlIG9wZW4KdW50aWwgdGhlIHZpZXdlciB0ZXJt
aW5hdGVzLCB0aGVuIGRlbGV0ZSBpdC4gIFRoaXMgcmVzb2x2ZXMKdGhlIEhhY2thZGVteSBBdWRp
dCBpc3N1ZXMgb2YgcG9zc2libGUgYnVmZmVyIG92ZXJmbG93CmNvbXBvc2luZyBhIGZhY2UgZmls
ZSBuYW1lIGZyb20gYSBob3N0IG5hbWUsIGFuZCB0aGUgcmlzawpvZiBhIGhvc3QgbmFtZSByZXNv
bHZpbmcgdG8gYSBzdHJpbmcgd2hpY2ggbWlnaHQgcGVybWl0CmRpcmVjdG9yeSB0cmF2ZXJzYWwu
ICBBcyBubyBleG9nZW5vdXMgaW5wdXQgY29udHJpYnV0ZXMgdG8KdGhlIGZhY2UgZmlsZSBuYW1l
LCB0aGVzZSBpc3N1ZXMgY2FuIGJlIGNsb3NlZC4KCkhhY2thZGVteSByZXBvcnRlZCBhIHBvdGVu
dGlhbCB2dWxuZXJhYmlsaXR5IGR1ZSB0byB0aGUKdmFsaWRhdGlvbiBvZiBwYWNrZXQgbGVuZ3Ro
IHZlcnN1cyBjb250ZW50cyBiZWluZyBieXBhc3NlZCB3aGVuCnRoZSBmYWNlUmVxdWVzdCBiaXQg
d2FzIHNldCBpbiB0aGUgcGFja2V0IGhlYWRlci4gVGhhdApwYXJ0aWN1bGFyIHRlc3Qgd2FzIGR1
ZSB0byBteSBoYXZpbmcgdW53aXNlbHkgb3B0ZWQgdG8gcmUtdXNlCnRoZSBwYWNrZXQgcGF5bG9h
ZCBsZW5ndGggZmllbGQgZm9yIHRoZSBhZGRyZXNzIG9mIHRoZSBkYXRhCmJlaW5nIHJlcXVlc3Rl
ZCBpbiBhIGZhY2UgaW1hZ2UgZmlsZSwgd2hpY2ggbWVhbnMgaXQgY2Fubm90IGJlCnRlc3RlZCBh
Z2FpbnN0IHRoZSByZWNlaXZlZCBwYWNrZXQgbGVuZ3RoIGFzIGZvciBvdGhlcgpwYWNrZXRzLiAg
Rm9ydHVuYXRlbHksIHRoZXNlIGZhY2VSZXF1ZXN0IHBhY2tldHMgYXJlIGFsbApwcmVjaXNlbHkg
dGhlIHNhbWUgbGVuZ3RoIGFzIHRoZXkgYmVhciBubyBwYXlsb2FkLCBhbmQgaGF2ZSBhCnVuaXF1
ZSB2YWx1ZSBpbiB0aGVpciBmbGFncyAoYS5rLmEuICJjb21wcmVzc2lvbiIpIGZpZWxkLiAgSQph
ZGRlZCBhIHRlc3Qgd2hpY2ggdmVyaWZpZXMgdGhlc2UsIHdoaWNoIHNob3VsZCBzdG9wIGFueQph
dHRlbXB0IHRvIHNwb29mIGRvd25zdHJlYW0gY29kZSBsb25nIGJlZm9yZSBpdCBnZXRzIHRoZXJl
LgpQYWNrZXRzIHdoaWNoIGZhaWwgdGhpcyB2YWxpZGF0aW9uIGFyZSByZXBvcnRlZCB0byBzdGFu
ZGFyZAplcnJvciBhbmQgZHJvcHBlZC4KClsgVGhlIHBhY2tldCBsZW5ndGggc2FuaXR5IGNoZWNr
IGNhbiBiZSBieXBhc3NlZCB1c2luZyBhIGNvbXByZXNzaW9uCmZsYWcgd2l0aCB0aGUgMHgwMDAw
MDAwMSBiaXQgc2V0ICggPT0gZmFjZVJlcXVlc3QgPT0gQ29tcDJYKSwgYnV0IG5vCmZGYWNlRGF0
YSBiaXQuIFRoYXQgbWVhbnMgdGhlIGJ1ZmZlcl9sZW4gY2FuIGJlIGZha2UsIHdoaWNoIGFsbG93
cwplYXNpZXIgZXhwbG9pdGF0aW9uIG9mIG90aGVyIGlzc3Vlcy4gQmVjYXVzZSBhcmJpdHJhcnkg
bGVuZ3RoIGNhbiBiZQpnaXZlbiwgaXQgaXMgYWxzbyBwb3NzaWJsZSB0byB0cmlnZ2VyIHZhcmlv
dXMgc3RhY2sgb3ZlcmZsb3dzIChEZW5pYWwKb2YgU2VydmljZSkgYW5kIGEgKHByb2JhYmx5KSBy
ZW1vdGVseSBleHBsb2l0YWJsZSBpbnRlZ2VyIG92ZXJmbG93LiBdCgpUaGUgSGFja2FkZW15IEF1
ZGl0IHJldmVhbGVkIGEgcG90ZW50aWFsIGJ1ZmZlciBvdmVyZmxvdyBleHBsb2l0CmlmIGEgVkFU
IHByb3RvY29sIGNsaWVudCBzZW50IGEgcGFja2V0IHdpdGggYSB1c2VyIG5hbWUgbG9uZ2VyCnRo
YW4gdGhlIDI1NiBieXRlIHN0YWNrIGJ1ZmZlciB1c2VkIHRvIGVkaXQgaXQgZm9yIGRpc3BsYXkK
d2hlbiBzaG93aG9zdHMgaXMgc2V0LiAgSSByZXdyb3RlIHRoZSBjb2RlIHRvIHRydW5jYXRlIHRo
ZQp1c2VyIG5hbWUgaW4gdGhlIHBhY2tldCBhdCAyNTUgY2hhcmFjdGVycyBpZiBpdCdzIGxvbmdl
ciB0aGFuCnRoYXQuICBUaGUgdW5hbWUgZmllbGQgaW4gdGhlIGNvbm5lY3Rpb24gaXMgYWN0dWFs
bHkgNDA5NgpjaGFyYWN0ZXJzLCBidXQgb25seSBhIG1hbGljaW91cyBjbGllbnQgd2lsbCBhdHRl
bXB0IHRvIHNlbmQKYSBWQVQgcGFja2V0IHdpdGggYW4gSUQgbG9uZ2VyIHRoYW4gMjU1IGNoYXJh
Y3RlcnMsIHNvIHRoZXJlJ3MKbm8gcmVhc29uIHRvIGRvIGFueXRoaW5nIGJleW9uZCBwcm90ZWN0
aW5nIG91cnNlbHZlcyBhZ2FpbnN0CnN1Y2ggYW4gYXR0YWNrLiAgTm90ZSB0aGF0IHdlIGRvbid0
IGhhdmUgdG8gd29ycnkgYWJvdXQgdGhpcwpraW5kIG9mIGJ1ZmZlciBvdmVyZmxvdyB3aGVuIHBh
cnNpbmcgaXRlbXMgZnJvbSBSVFAgU0RFUyBwYWNrZXRzLAphcyB0aGVpciBsZW5ndGggaXMgY29u
c3RyYWluZWQgdG8gMjU1IGJ5dGVzIChzZWUgY29weVNERVNpdGVtKCkKaW4gcnRwYWNrZXQuYyku
CgpIYWNrYWRlbXkgY2xhaW0gdGhhdCB0aGUgZkxvb3BiYWNrIGZhY2lsaXR5ICh3aGljaCBjYXVz
ZXMgU3BlYWsKRnJlZWx5IHBhY2tldHMgdG8gYmUgZWNob2VkIGJhY2sgdG8gdGhlIHNlbmRlcikg
aGFzIHRoZQpwb3RlbnRpYWwgZm9yIGFidXNlIHNpbmNlIFVEUCBwYWNrZXRzIGNhbiBiZSBzZW50
IHdpdGggZm9yZ2VkCnNvdXJjZSBJUCBhZGRyZXNzZXMuICBXZWxsLCB5ZXMuLi5idXQgaGVyZSBJ
J20gZ29pbmcgdG8gcXVpYmJsZS4KRmlyc3Qgb2YgYWxsLCB0aGUgZkxvb3BiYWNrIG9jY3VycyBv
bmx5IGFmdGVyIHRoZSBwYWNrZXQgaGFzIHBhc3NlZAphbGwgb2YgdGhlIGFmb3JlbWVudGlvbmVk
IGNvbnNpc3RlbmN5IGNoZWNrcyBhbmQgYmVlbiBkZWVtZWQgYQp2YWxpZCBTcGVhayBGcmVlbHkg
cGFja2V0LiAgR2l2ZW4gdGhhdCwgdGhlIG9ubHkga2luZCBvZiBzaXRlcwp5b3UncmUgbGlrZWx5
IHRvIGJlIGFibGUgdG8gYXR0YWNrIHdpdGggc3Bvb2ZlZCBsb29wYmFjawpwYWNrZXRzIGlzIG90
aGVyIFNwZWFrIEZyZWVseSBzaXRlcywgd2hpY2ggeW91IGNhbiBhdHRhY2sKZmFyIG1vcmUgZWZm
aWNpZW50bHkgYnkganVzdCBzZW5kaW5nIHRoZSBwYWNrZXRzIGRpcmVjdGx5CmFzIG9wcG9zZWQg
dG8gZmluZGluZyBhIHNpdGUgdG8gYm91bmNlIHRoZW0gb2ZmIHdpdGggbG9vcGJhY2suClN1cmUs
IHlvdSBjYW4gdXNlIHRoaXMgdG8gZGlzZ3Vpc2UgeW91ciBpZGVudGl0eSwgYnV0IHRoZW4KeW91
IG1pZ2h0IGp1c3QgYXMgd2VsbCBmb3JnZSB0aGUgaWRlbnRpdHkgaW4gdGhlIGZpcnN0IHBsYWNl
CmFuZCBkaXNwZW5zZSB3aXRoIHRoZSBsb29wYmFjayBjdXQtb3V0LiAgVGhlIFNwZWFrIEZyZWVs
eQpsb29wYmFjayBmYWNpbGl0eSBjYW5ub3QgYmUgdXNlZCBhcyBhIHBhY2tldCBtdWx0aXBsaWVy
IGZvcgpkZW5pYWwgb2Ygc2VydmljZSByZXF1ZXN0cy0taXQncyBvbmUgcGFja2V0IGluLCBvbmUg
cGFja2V0IG91dCwKc28gdGhlIHJhdGUgYXQgd2hpY2ggbG9vcGJhY2sgcGFja2V0cyBhcmUgc2Vu
dCBpcyBsaW1pdGVkCnRvIHRoZSByYXRlIGF0IHdoaWNoIHRoZXkgY2FuIGJlIGRlbGl2ZXJlZCB0
byB0aGUgc2l0ZQpyZWZsZWN0aW5nIHRoZW0sIHdoaWNoIGNhbm5vdCBiZSBncmVhdGVyIHRoYW4g
dGhlIGJhbmR3aWR0aApiZXR3ZWVuIHRoZSBhdHRhY2tlciBhbmQgdGhlIHZpY3RpbS4gIFNvLi4u
dW5sZXNzIGFueWJvZHkKZmluZHMgYSBmbGF3IGluIHRoaXMgYXJndW1lbnQsIG9yIHByb2R1Y2Vz
IGV2aWRlbmNlIHRoYXQKdGhlIGZMb29wYmFjayBmYWNpbGl0eSBpcywgaW4gZmFjdCwgYmVpbmcg
YWJ1c2VkLCBJJ20gZ29pbmcKdG8gbGVhdmUgaXQgYXMtaXMgZm9yIHRoZSBtb21lbnQuICAoTi5i
LiAgSXQgd291bGQgbm90IGJlCmEgQmlnIFRoaW5nIGlmIGZMb29wYmFjayB3ZXJlIHNpbXBseSBk
aXNhYmxlZC4gIEFsbW9zdApub2JvZHkgdXNlcyBpdCwgYXMgaXQncyBtdWNoIGVhc2llciB0byB0
ZXN0IHdpdGggdGhlIHB1YmxpYwplY2hvIHNlcnZlcnMgd2hpY2ggZGVsYXkgYXVkaW8gYmVmb3Jl
IHNlbmRpbmcgaXQgYmFjay4KVGhlIGZMb29wYmFjayBnaW1taWNrIGRhdGVzIGZyb20gMTk5MSwg
d2hlbiBpdCB3YXMgdGhlCm9ubHkgcHJhY3RpY2FsIHdheSB0byB0ZXN0IHBlcmZvcm1hbmNlIG9u
IHBvaW50IHRvIHBvaW50CmxlYXNlZCBsaW5lIGNvbm5lY3Rpb25zLgoKVGhlIHNhbWUgdGVtcG9y
YXJ5IGZpbGUgcmlzayBkaXNjb3ZlcmVkIGJ5IEhhY2thZGVteSBpbgpzcGVha2VyLmMgYWxzbyBl
eGlzdGVkIGluIG1pa2UuYydzIGNvZGUgd2hpY2ggaW52b2tlcyBQR1AKdG8gZW5jcnlwdCBzZXNz
aW9uIGtleXMgZm9yIHRyYW5zbWlzc2lvbiB0byBjb25uZWN0ZWQgcGFydGllcy4KSSByZXdyb3Rl
IHRoZSBjb2RlIHRvIHVzZSB0aGUgbmV3IGNyZWF0ZV90ZW1wZmlsZV9pbl90ZW1wZGlyKCkKZnVu
Y3Rpb24gaW4gaW4gdGVtcGZpbGUuYyBhbmQgY2hhbmdlZCB0aGUgbG9naWMgc28gdGhlIG5ld2x5
CmNyZWF0ZWQgdGVtcG9yYXJ5IGZpbGUgaXMgbm90IGNsb3NlZCB1bnRpbCBQR1AgaXMgZmluaXNo
ZWQKd2l0aCBpdC4KCg==

--Multipart_Sat__7_Jun_2003_04:46:36_+0200_0871aae0--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH