Ventrilo v3.0.5 v3.0.4 - Stack Buffer Overflow Vulnerability

Document Title:
===============
Ventrilo v3.0.5 v3.0.4 - Stack Buffer Overflow Vulnerability



Release Date:
=============
2011-07-22


Vulnerability Laboratory ID (VL-ID):
====================================
98


Product & Service Introduction:
===============================
Ventrilo 3.0.0 is the next evolutionary step of Voice over IP (VoIP) group communications software. 
Ventrilo is also the industry standard by which all others measure themselves as they attempt to imitate its features.
By offering surround sound positioning and special sound effects on a per user, per channel, per server or global 
configuration level the program provides each user the option to fully customize exactly how they wish to hear sounds 
from other users or events. Ventrilo is best known for it s superior sound quality and minimal use of CPU resources so 
as not to interfere with day to day operations of the computer or during online game competitions. It is also preferred 
for the simple user interface that any first time computer user can very quickly learn because the most commonly used 
features are immediately visible and can be activated with a single click of the mouse.

To see what the program looks like and a list of some of the many features the program offers please click on 
the About link in the navigation menu. The Ventrilo Client and Server programs are copyright 1999-2007 by Flagship Industries, Inc.
Ventrilo is a Trademark of Flagship Industries, Inc.

(Copy of the Vendor Homepage: http://www.ventrilo.com/)


Abstract Advisory Information:
==============================
Vulnerability Lab Team discovered a Stack Buffer-Overflow Vulnerability on Ventrilo Voice over IP Software.



Vulnerability Disclosure Timeline:
==================================
2011-00-00:	Vendor Notification
2011-00-00:	Vendor Response/Feedback
2011-00-00:	Vendor Fix/Patch
2011-00-00:	Public or Non-Public Disclosure



Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A stack  buffer overflow is detected in the phonetics module on Ventrilo VoiP Clients.  A potential attacker can  
crash the local running voip service with an overflow in the phonetic include function. 

--- Exception Logs ---

Problemereignisame:	BEX
Anwendungsname:		Ventrilo.exe
Anwendungsversion:	3.0.5.0
Anwendungszeitstempel:	49efce51
Fehlermodulname:	Ventrilo.exe
Fehlermodulversion:	3.0.5.0
Fehlermodulzeitstempel:	49efce51
Ausnahmeoffset:		00410041
Ausnahmecode:		c0000409
Ausnahmedaten:		00000000
Betriebsystemversion:	6.0.6002.2.2.0.768.3
Gebietsschema-ID:	1031
Zusatzinformation 1:	ea0d
Zusatzinformation 2:	9ab2e670078714c86d4dc436292205d9
Zusatzinformation 3:	f7e9
Zusatzinformation 4:	f3ac18af8def4e1b6d7368386159bb0c

Reproduced: 		7 Times


Pictures:
			../ventrilo1.png
			../ventrilo2.png
			../ventrilo3.png
			../ventrilo4.png



Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers. For demonstration or reproducement ...

Local: 
Include a over-sized string in the phonetic function and click on play to hear the preview. The client crashes with a buffer overflow 
and can be used to escalate with the running process.

Remote:
Include the over-sized string in the phonetic & startup a server, click on a user profile and play the phonetic via remote connection.
After execution, the client crashs with stack based buffer overflow.


Solution - Fix & Patch:
=======================
Set a specific restriction as maximum size for any included phonetic.


Security Risk:
==============
The security risk of the Buffer Overflow Vulnerability is estimated as high.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory