lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030321115352.5c73ed4d.aluigi@pivx.com>
Date: Fri, 21 Mar 2003 11:53:52 +0000
From: Auriemma Luigi <aluigi@...x.com>
To: bugtraq@...urityfocus.com
Subject: Edonkey and Overnet resources consumption



######################################################################

Applications: Edonkey2000 (http://www.edonkey2000.com)
              Overnet     (http://www.overnet.com)
Versions:     0.45 and previous versions (only the GUI program)
Platforms:    Windows only
Bug:          The programs spawn a new dialog for each chat message
              that arrives to them, and each dialog take system
              resources
Risk:         Resources consumption through multiple message dialogs
Author:       Auriemma Luigi
              e-mail: aluigi@...x.com
              web:    http://www.pivx.com/luigi/


######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


######################################################################

===============
1) Introduction
===============


Edonkey2000 and Overnet are the same peer2peer application and they
are both shareware.
These p2p programs use a protocol, created by their same programmers,
that is called Edonkey protocol and a lot of people use them and their
clones (like Emule, MlDonkey and others) to share files.

The bug I want to show is just a classical p2p problem that happen
when an attacker want to abuse the chat function of this type of
programs for causing resources consumpion on the remote machine.

 

######################################################################

======
2) Bug
======


The bug is really simple.
A lot of p2p programs (probably all) let peoples to chat togheter and
not only to share their files.
In Edonkey (and naturally Overnet) every user can send a message to
another user simply connecting to him and, after the identification
data, sending the message data:

u_char      Edonkey header = 0xe3
u_long      message size
u_char      type of data   = 0x4e for messages
u_short     message length
u_char      *message

Now, when Edonkey receives this message it will search in the message
dialogs currently opened if the user has already sent a message
previously.
The research of the user's window is not made comparing the nickname
but the program will use the hash string that each user must send at
the beginning of each connection for identify himself.

As everyone know, each message dialog take some resources of the
Windows system (memory first and CPU after a lot of dialogs), so
spawning a lot of these message dialogs is the same thing of opening
Explorer windows just for example.

Well, now the bug is clear. An user that makes a lot of sequential
connections to the same Edonkey client and send a different hash
string for each message, will open a lot of message dialogs into the
remote Edonkey host. And he will continue until will not exist more
resources for allocate new message dialogs.

Resources consumpion is not a DoS to underrate because after some
message dialogs opened will be impossible to open programs or new
windows, and you can imagine what this mean if you run a game or a
specific application that need CPU and memory. If you are in front of
the monitor you can just use the CTRL-ALT-DEL keys for kill the
Edonkey application, but if you are not using your computer you will
have a bad surprise 8-)

My Pentium II at 448 Mhz with about 500 Mb of RAM is unuseable after
about 500 message dialogs (it has so poor resources that is impossible
to execute any program).




######################################################################

===========
3) The Code
===========


I have released a simple proof-of-concept for Windows and *nix that
can send infinite or a custom number of messages to the victim:

http://www.pivx.com/luigi/poc/eddos.zip




######################################################################

======
4) Fix
======


Version 0.46 of Edonkey and Overnet solve the problem limiting the
number of message dialogs they can spawn.



######################################################################

=============
5) Philosophy
=============


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!


######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments  
(http://www.pivx.com/sf.html).

For more information go to http://www.PivX.com

######################################################################
 

Any type of feedback is really welcome!

Byez




--- 
PivX Bug Researcher
http://www.pivx.com/luigi/




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ