lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <92302a090809130205w2c5d6c0dj9819e8fe4f01c54d@mail.gmail.com>
Date: Sat, 13 Sep 2008 17:05:26 +0800
From: "Li Gen" <superligen@...il.com>
To: bugtraq@...urityfocus.com
Subject: Baidu Hi IM software parsing plaintext stack overflow

Baidu Hi IM software parsing plaintext stack overflow

-- CVE ID:
Not assigned

-- Affected Vendors:
Baidu

-- Affected Products:
Baidu Hi IM software

-- Vulnerability Details:

Our automatic bug exploiting tools have found a buffer overflow bug in
Baidu Hi IM software which is a popular IM software in China.
This bug is due to Baidu Hi do not strictly check the deciphered
plaintext format in CSTransfer.dll.
Because of encryption mechanism of Baidu Hi, it is hard to generate
the proper malicious packet, but not say it's impossible. A proper
malicious packet can cause client system full controlled.

-- Vendor Response:
I contacted with Baidu a month ago, no any response from Baidu.

-- Credit:
This vulnerability was discovered by:
  Gen LI & Jun MA & Ying Zhang

More Detail :
(CSTransfer.dll)

                                          esi
      +---------------------+              |
      |                     |             \|/
      | Malicious input     |              _______________________________
      |                     ...........>  |  |  |  |  |  |   |   |       |
      +---------------------+             |R |  |4 |0 |  |\r |\n | ....  |
                                          |__|__|__|__|__|___|___|_______|
                                          /|\
                                           |
                                          ebp
      +---------------------+
      |                     |
      | Correct content     |
______________________________________________________
      |                     ...........> |  |   | |  |   |  |   |  |
|  |  |  |   |   |       |
      +---------------------+            | c| m | | 1| . |0 |   |R |
|4 |0 |  |\r |\n | ....  |
        loc_10007880:
|__|___|_|__|___|__|___|__|__|__|__|__|___|___|_______|
        mov     al, [esi-1]               /|\                   /|\
        dec     esi                        |                     |
        cmp     al, 20h                   ebp                   esi
        jnz     short loc_10007890
                 |
  +-------+      |---------------------.
  |       |      |                     |
  |      \|/    \|/                    |
  |     loc_10007888:                  |
  |     mov     al, [esi-1]            |
  |     dec     esi                    |
  |     cmp     al, 20h                |
  |     jz      short loc_10007888     |
  |           |  |                     |
  |-----------+  |    +----------------|
                 |    |
                \|/  \|/
        loc_10007890:
        push    20h
        esi edi
        push    ebp                     +---------------------+
         |   |
        inc     esi                     |                     |
        \|/ \|/
        call    ds:strchr               | Malicious input     |
____________ _______________________________
        mov     edi, eax    --------->  |                     ...>|
        |  |  |  |  |  |   |   |       |
                                        +---------------------+
|heap struct |R |  |4 |0 |  |\r |\n | ....  |
           ...........
|____________|__|__|__|__|__|___|___|_______|

        /|\
       loc_100078EA:
         |
       sub     esi, edi               ;esi will be a negative number
        ebp
       cmp     esi, 1Eh
       jg      loc_100079FD

       push    esi             ; size_t   ;esi will be a negative number
       lea     edx, [esp+44h+var_24]
       push    edi             ; char *
       push    edx             ; char *
       call    ds:strncpy                 ; cause buffer overflow

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ