[NEWS] Speak Freely Multiple Remote and Local Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 06/11/03

  • Next message: SecuriTeam: "[NEWS] Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router" 
    To: list@securiteam.com
Date: 11 Jun 2003 20:23:06 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.

    Learn more at http://www.coresecurity.com/promos/sit_e1,
    or call 617-399-6980

    - - - - - - - - -

      Speak Freely Multiple Remote and Local Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.fourmilab.ch/speakfree/> Speak Freely is a free and
    open-sourced software used for efficient and secure (encrypted) voice
    communication over the Internet. It was written by John Walker, and runs
    on Windows and UNIX.

    During a source code audit, the Hackademy staff has found multiple serious
    local and remote security holes in this software.

    DETAILS

    Vulnerable systems:
     * Speak Freely version 7.5 for UNIX
     * Speak Freely version 7.1 for Windows and UNIX

    Immune systems:
     * Speak Freely version 7.6

     * At least three exploitable stack buffer overflows were found. A single
    UDP packet sent to either the data port(2074/udp) or the control port
    (2075/udp) can crash the sfspeaker program in a way suitable for running
    arbitrary supplied code.

     * Usage of temporary files is insecure, making possible for a malicious
    local user to overwrite with arbitrary data any file owned by the user
    running Speak Freely.

     * Speak Freely has a network feature allowing to send back the same UDP
    packet he received. Because the source IP of an UDP packet can be spoofed,
    there is a potential for relaying malicious packets into a protected
    network (NATed or firewalled) if a computer having access to this network
    is running Speak Freely.

     * There are also a few static buffer overflows, more difficult to
    exploit.

    Impact:
    A remote attacker, as well as a malicious local user, can execute
    arbitrary code on the system with the privileges of the user running Speak
    Freely.

    Patch:
    Speak Freely 7.6 is patched against most of these issues, and can be
    downloaded here: <http://www.fourmilab.ch/speakfree/>
    http://www.fourmilab.ch/speakfree/

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:fozzy@dmpfrance.com> Fozzy.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router"

    Relevant Pages