[NEWS] Speak Freely Multiple Remote and Local Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 11 Jun 2003 20:23:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
Learn more at http://www.coresecurity.com/promos/sit_e1,
or call 617-399-6980
- - - - - - - - -
Speak Freely Multiple Remote and Local Vulnerabilities
<http://www.fourmilab.ch/speakfree/> Speak Freely is a free and
open-sourced software used for efficient and secure (encrypted) voice
communication over the Internet. It was written by John Walker, and runs
on Windows and UNIX.
During a source code audit, the Hackademy staff has found multiple serious
local and remote security holes in this software.
* Speak Freely version 7.5 for UNIX
* Speak Freely version 7.1 for Windows and UNIX
* Speak Freely version 7.6
* At least three exploitable stack buffer overflows were found. A single
UDP packet sent to either the data port(2074/udp) or the control port
(2075/udp) can crash the sfspeaker program in a way suitable for running
arbitrary supplied code.
* Usage of temporary files is insecure, making possible for a malicious
local user to overwrite with arbitrary data any file owned by the user
running Speak Freely.
* Speak Freely has a network feature allowing to send back the same UDP
packet he received. Because the source IP of an UDP packet can be spoofed,
there is a potential for relaying malicious packets into a protected
network (NATed or firewalled) if a computer having access to this network
is running Speak Freely.
* There are also a few static buffer overflows, more difficult to
A remote attacker, as well as a malicious local user, can execute
arbitrary code on the system with the privileges of the user running Speak
The information has been provided by <mailto:email@example.com> Fozzy.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.