in case someone is interested to the technical details that helped me to have serious doubts about the genuinity of that "vulnerability" (and I told in part to JD, that's why he has finally admitted the fake) they are the following:
the video showed not only the sending of rcon commands but also the usage of other particular admin functions which work on other parts of the protocol (rcon and the creation of chans are 2 completely different things, watch ventrcon) so this meant that the bug wasn't a rcon injection vulnerability.
that option which created the channels (chan1;chan2;and so on) wasn't much realistic because meant that the exploit needed to create the first channel, join it, create the second, join it and so... too much work and useless.
and then "Kick All" means kicking anyone while only the users in the original chans were kicked (or in any case they have not rejoined immediately)
excluded the possibility of injecting rcon commands remained only a possible bypass performed in some ways and an overflow in particular zones of the memory.
the overflow was also the reason claimed in the video but in the various security vulnerabilities which have been found in the history the cases of overflows located just in particular zones of the memory which allowed to overwrite fields like an admin password to take a quick and simple advantage of them have been so rare that I remember only one of them:
http://www.securenetwork.it/ricerca/advisory/download/SN-2007-02.txtfor who doesn't know it the ventrilo server allows the admin commands ONLY from the users who have the admin bit set in the UAR (user acces rights
http://www.ventrilo.com/uar.php) which is a series of about 64 1s and 0s assigned to each user in its reserved memory (an array with all the info of the user) and tell what he can and can't do.
and the admin bit is just one of them.
this area of the memory is located after various string fields but:
- all these fields are correctly handled by ventrilo which delimits them at their correct size or just doesn't store the strings if they are longer
- the last two fields, for example, are some buffers designed to contain the number of bytes sent and received by the client when you (admin) use the clientstatus command on that user so the last input string created by the user on which he has control is enough far from that zone (it should be the operating system string sent by the client)
only a function is used by ventrilo for activating the admin bit and some other bits and it's used ONLY when the user logs as admin using the same 32bytes hash of the admin password and so only if the hash is the same it's called the function and the user will have full power.
so one function called only in one point of the code.
I have performed these and a lot of other tests (too much to list here that I even don't remember) a couple of days ago in which have not found other problems but have been useful to learn something more and to exclude other possible vulnerabilities.
