Title: PicoPhone Internet Phone Remote Buffer Overflow Vulnerability
Severity: HIGH
Description:
Picophone is an internet phone application that supports chat. It is freely available for the Microsoft Windows platform.
It has been reported that Picophone is prone to a remote buffer overflow vulnerability. This issue is due to the application failing to verify the size of user input before storing it in a finite buffer.
This issue presents itself when the logging functionality is enabled (which is true by default) and an excessively large value is sent to the application; a string of 964 bytes is reported to be sufficient to trigger this condition. The application processes the incoming data prior to recording it in a log file. During this processing the data is copied to a finite buffer without sufficient bounds checking.
This issue may be leveraged by an attacker to modify process memory. Ultimately this may cause a denial of service condition in the process as a result of the memory manipulation. The attacker may further leverage this issue in order to execute arbitrary code; this code would be executed in the security context of the user running the affected process.
Affected Products:
- Picophone Internet Telephone 1.63.0
References:
- Picophone: Product Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
