| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Sep 2008 18:59:58 +0800 From: "Li Gen" <superligen@...il.com> To: bugtraq@...urityfocus.com Subject: Baidu Hi IM client software DoS bug, div zero make client crash Baidu Hi IM client software DoS bug, div zero make client crash -- CVE ID: Not assigned -- Affected Vendors: Baidu -- Affected Products: Baidu Hi IM software -- Vulnerability Details: Our automatic bug exploiting tools have found a DoS bug in Baidu Hi IM client which is a popular IM software in China. This bug is due to Baidu Hi client do not strictly check the login response packet's content from server in NetSevice.dll, malicious input can cause client crash by div zero exception . -- Vendor Response: I contacted with Baidu a month ago, no any response from Baidu. -- Credit: This vulnerability was discovered by: Gen LI & Jun MA & Ying Zhang More Detail : (NetService.dll) .text:1001FDB4 mov eax, [ebp+arg_C] .text:1001FDB7 sar esi, 3 .text:1001FDBA cdq .text:1001FDBB idiv esi ; cause div zero exception, and make client crash let login response packet is an array : a[] esi is from : tmp1= a[0x29] + (a[0x2a]<<8) + (a[0x2b]<<0x10) + (a[0x2c]<<0x18) ; when eip=0x100202ca tmp2= a[0x2d] + (a[0x2e]<<8) + (a[0x2f]<<0x10) + (a[0x30]<<0x18) ; when eip=0x100202ca tmp3= a[0x2b]+(a[0x2c]<<8) + (a[0x2d]<<0x10) + (a[0x2e]<<0x18) ; when eip=0x1001ef2f tmp4 = (tmp3<0) ? 0xffffffff:0 ; when eip= 0x1001fdac tmp5 = tmp4 & 0x7; when eip = 0x1001fdad tmp6 = tmp3+tmp5; when eip = 0x1001fdb0 esi = tmp6>>3; when eip = 0x1001fdb7 if malicious input is proper, client will crash.
Powered by blists - more mailing lists