Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 18:39

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 
Author Message
 Post subject: Ventrilo Remote Rcon
PostPosted: 14 Sep 2009 01:11 

Joined: 08 Jun 2008 07:17
Posts: 92
Does not exist it is(was) a hoax.

Here is the video (It is some other users youtube account I have no control over it)

http://www.youtube.com/watch?v=8y7Oiy8sONA

discuss.


Last edited by JD on 14 Sep 2009 02:16, edited 1 time in total.

Top
 Profile  
 
 
 Post subject: Re: Ventrilo Remote Rcon
PostPosted: 14 Sep 2009 01:59 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in case someone is interested to the technical details that helped me to have serious doubts about the genuinity of that "vulnerability" (and I told in part to JD, that's why he has finally admitted the fake) they are the following:

the video showed not only the sending of rcon commands but also the usage of other particular admin functions which work on other parts of the protocol (rcon and the creation of chans are 2 completely different things, watch ventrcon) so this meant that the bug wasn't a rcon injection vulnerability.

that option which created the channels (chan1;chan2;and so on) wasn't much realistic because meant that the exploit needed to create the first channel, join it, create the second, join it and so... too much work and useless.
and then "Kick All" means kicking anyone while only the users in the original chans were kicked (or in any case they have not rejoined immediately)

excluded the possibility of injecting rcon commands remained only a possible bypass performed in some ways and an overflow in particular zones of the memory.

the overflow was also the reason claimed in the video but in the various security vulnerabilities which have been found in the history the cases of overflows located just in particular zones of the memory which allowed to overwrite fields like an admin password to take a quick and simple advantage of them have been so rare that I remember only one of them: http://www.securenetwork.it/ricerca/advisory/download/SN-2007-02.txt

for who doesn't know it the ventrilo server allows the admin commands ONLY from the users who have the admin bit set in the UAR (user acces rights http://www.ventrilo.com/uar.php) which is a series of about 64 1s and 0s assigned to each user in its reserved memory (an array with all the info of the user) and tell what he can and can't do.
and the admin bit is just one of them.

this area of the memory is located after various string fields but:
- all these fields are correctly handled by ventrilo which delimits them at their correct size or just doesn't store the strings if they are longer
- the last two fields, for example, are some buffers designed to contain the number of bytes sent and received by the client when you (admin) use the clientstatus command on that user so the last input string created by the user on which he has control is enough far from that zone (it should be the operating system string sent by the client)

only a function is used by ventrilo for activating the admin bit and some other bits and it's used ONLY when the user logs as admin using the same 32bytes hash of the admin password and so only if the hash is the same it's called the function and the user will have full power.
so one function called only in one point of the code.

I have performed these and a lot of other tests (too much to list here that I even don't remember) a couple of days ago in which have not found other problems but have been useful to learn something more and to exclude other possible vulnerabilities.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: