Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 234819 (CVE-2008-3680)

Summary: <media-sound/ventrilo-server-bin-3.0.3 decryption NULL reference (CVE-2008-3680)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://aluigi.altervista.org/adv/ventrilobotomy-adv.txt
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 13:54:25 UTC 
CVE-2008-3680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3680):
  The decryption function in Flagship Industries Ventrilo 3.0.2 and earlier
  allows remote attackers to cause a denial of service (NULL pointer
  dereference and server crash) by sending a type 0 packet with an invalid
  version followed by another packet to TCP port 3784.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2009-03-02 00:30:10 UTC 
Version 3.0.3 is in the tree, is this still an issue?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-05 17:21:40 UTC 
Ventrilo Server - Public - Version 2.3.1
(c)Copyright 1999-2005 Flagship Industries, Inc.

Version           = 2.3.1
Name              = Server 1
Phonetic          = Server 1
Auth              = 0
Duplicates        = 1
MaxClients        = 8
SendBuffer        = 131072
RecvBuffer        = 131072
LogonTimeout      = 5
CloseStd          = 1
TimeStamp         = 0
PingRate          = 10
ExtraBuffer       = 131072
ChanWidth         = 0
ChanDepth         = 8
ChanClients       = 0
DisableQuit       = 1
VoiceCodec        = 0 (GSM 6.10)
VoiceFormat       = 1 (11 KHz, 16 bit) - Bytes/Sec 2210
SilentLobby       = 0
AutoKick          = 0

Accepting connections on these interface(s).
  1: 0.0.0.0

Accepting UDP Status/Control messages on these interface(s).
  1: 0.0.0.0

READY:
MSG_CONN: ID 1, IP 127.0.0.1, Accepted. (50820,262142) (87680,262142)
Incompatible version. Server is running version 2.3.1
zsh: segmentation fault  ./ventrilo_srv


$ ./ventrilobotomy localhost

Ventrilo <= 3.0.2 NULL pointer 0.1
by Luigi Auriemma and Andre Malm
e-mail: aluigi@autistici.org
web:    aluigi.org

- target:   127.0.0.1 : 3784
- connect
- send a wrong version packet
- send some data for forcing the decryption function
- wait some seconds
- test server:

  Server IS vulnerable!!!

========================================================================

Ventrilo Server - Public - Version 3.0.2
(c)Copyright 1999-2007 Flagship Industries, Inc.

Version           = 3.0.2
Name              = Server 1
Phonetic          = Server 1
Auth              = 0
Duplicates        = 1
SendBuffer        = 131072
RecvBuffer        = 131072
LogonTimeout      = 5
CloseStd          = 1
TimeStamp         = 0
PingRate          = 10
ExtraBuffer       = 131072
ChanWidth         = 0
ChanDepth         = 8
ChanClients       = 0
DisableQuit       = 0
VoiceCodec        = 0 (GSM 6.10)
VoiceFormat       = 1 (11 KHz, 16 bit) - Bytes/Sec 2210
SilentLobby       = 0
AutoKick          = 0
MaxClients        = 8


READY:
MSG_CONN: ID 1, IP 127.0.0.1, Accepted. (50820,262142) (87680,262142)
Incompatible version. Server is running version 3.0.2
SIGNAL: SEGV.

$ ./ventrilobotomy localhost

Ventrilo <= 3.0.2 NULL pointer 0.1
by Luigi Auriemma and Andre Malm
e-mail: aluigi@autistici.org
web:    aluigi.org

- target:   127.0.0.1 : 3784
- connect
- send a wrong version packet
- send some data for forcing the decryption function
- wait some seconds
- test server:

  Server IS vulnerable!!!

========================================================================

Ventrilo Server - Public - Version 3.0.3
(c)Copyright 1999-2008 Flagship Industries, Inc.

Version           = 3.0.3
Name              = Server 1
Phonetic          = Server 1
Auth              = 0
Duplicates        = 1
SendBuffer        = 131072
RecvBuffer        = 131072
LogonTimeout      = 5
CloseStd          = 1
TimeStamp         = 0
PingRate          = 10
ExtraBuffer       = 131072
ChanWidth         = 0
ChanDepth         = 8
ChanClients       = 0
DisableQuit       = 0
VoiceCodec        = 0 (GSM 6.10)
VoiceFormat       = 1 (11 KHz, 16 bit) - Bytes/Sec 2210
SilentLobby       = 0
AutoKick          = 0
MaxClients        = 8


READY:
MSG_CONN: ID 1, IP 127.0.0.1, Accepted. (50820,262142) (87680,262142)
Incompatible version. Server is running version 3.0.3
MSG_ABORT: ID 1, 127.0.0.1 aborted.
MSG_CONN: ID 2, IP 127.0.0.1, Accepted. (50820,262142) (87680,262142)
MSG_ABORT: ID 2, 127.0.0.1 aborted.


$ ./ventrilobotomy localhost

Ventrilo <= 3.0.2 NULL pointer 0.1
by Luigi Auriemma and Andre Malm
e-mail: aluigi@autistici.org
web:    aluigi.org

- target:   127.0.0.1 : 3784
- connect
- send a wrong version packet
- send some data for forcing the decryption function
- wait some seconds
- test server:

  Server doesn't seem vulnerable
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-05 17:23:27 UTC 
Since 2.3.1 does not install anyway (missing distfile and fetch restrictions), and 3.0.3 seems to fix the issue, is 3.0.3 ok for stabling?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 16:40:27 UTC 
Arches, please test and mark stable:
=media-sound/ventrilo-server-bin-3.0.3
Target keywords : "amd64 x86"
Comment 5 Markus Meier gentoo-dev 2009-03-08 14:38:58 UTC 
amd64/x86 stable, all arches done.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 14:08:13 UTC 
It's an easy DoS on a server application, so YES.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-14 12:02:45 UTC 
yes too, request filed.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-14 20:36:46 UTC 
GLSA 200904-13