lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d65cd43904103121581186eca@mail.gmail.com>
Date: Mon, 1 Nov 2004 13:58:36 +0800
From: "Sowhat ." <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: XDICT Buffer OverRun Vulnerability,funny :-)


XDICT Buffer OverRun Vulnerability

by Sowhat
DATE:2004.10.26
CN:http://secway.org/Advisory/Ad20041026CN.txt
EN:http://secway.org/Advisory/Ad20041026EN.txt


VENDOR:

KingSOFT Inc.
www.kingsoft.com

AFFECTED: 

XDICT 2002
XDICT 2003
XDICT 2004
XDICT 2005


BACKGROUD:

XDICT is a very popular translation Software(CHINESE <==>ENGLISH) of
CHINA.It is very Useful and Powerful :-)
More information: www.kingsoft.com

DESCRIPTION:

When you open the function of "Screen Fecth"(Fetch the Word From
Screen),the XDICT will automatically trace your mouse activity and
return the Translation of the WORD(or SENTENCE) you are pointing to.
IF there is no corresponding translation founded ,then it will display
a message like "'JUSTFORTEST' was not founded" .

The XDICT will trace your mouse's activity and when you are pointing
to a WORD,the word will be copied to a Buffer,and then try to macth
its own Dictionary.

The problem is that they set a wrong Buffer here,and if you are
pointing to a string longer than 88 'A',the process xdict.exe will
encounter a Buffer Overrun,and the CPU usage will immediatly increase
to 100% . Bong ! the system will hang up. You must reboot it.

According to my friend's test,with WIN2K PRO+ XDICT 2005,the system
will not hang up.XDICT will firstly close the "Screen Fetch"
function,and quit itself when the string is longer.


Exploit:
open your notepad.exe ,type 88 'A' with no interruption
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

take the "Screen Fecth" ON,move your mouse ,when you are pointing to
this string ,the system will hangup.

A specially crafted string may let the attacker to execute arbitrary commands.


Solution:
ReConfigure the "Screen Fecth" Mode to use "CTRL+MOUSE".
Anyway,dont point to a very long string before the pacth is available

Vendor Respond:
2004.10.26 Vendor notice
2004.10.27 The vendor reply that this bug is submited to the TEST department
NO further reply

Credit:
Sowhat
http://secway.org
[ITS] Security Research Team

This is a little but phunny bug :-)
Thank to MiaoDeYu for his TEST,Thank to all the members of ITS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ