Gerade auf Bugtraq gelesen:
######################################################################
Application: Emule (http://emule-project.net)
Versions: 0.27b and previous versions
Platform: Windows
Bug: The program tries to read memory offset 0x00000000 if an
attacker send a chat message without nickname
Risk: Remote crash
Author: Auriemma Luigi
e-mail: aluigi@pivx.com
web: http://www.pivx.com/luigi/
######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy
######################################################################
===============
1) Introduction
===============
Emule is an excellent OpenSource file sharign program that uses the
Edonkey p2p protocol; it is not a simple clone but more and it is so
much diffused that it is also in the topten of the Sourceforge
downloads.
It has a lot of functions and runs on Windows but exists a porting
(Lmule) that runs on Linux too.
######################################################################
======
2) Bug
======
Very quickly, the Edonkey protocol is composed by a header to send at
the beginning of the connection to the client that contains user
informations like nickname, hash string, client version, client port
and many other info. I call this header "identification data".
After sending this header an user can send a chat message to the
remote host simply sending message data (this data can also attached
directly to the identification data).
The problem in Emule happen when the attacker that wants to send a
message doesn't send his nickname.
In the Edonkey header there is a "tag" (0x01000102) that is used for
specify the user nickname, so an attacker must only not send this tag
and the relative nickname.
Emule 0.27b will crash at EIP 0x00444200 that is the function that
gets the nickname string previously stored in memory, but if the
attacker has not included the nickname in his previous identification
data, this function will fail because it will try to read at a memory
address (0x00000000 because doesn't exist the address of the nickname
string in memory) that cannot be reached by the application and this
is the cause of the crash.
In fact, the program try to execute the following operation:
"mov cl, [eax]"
but EAX is NULL, so it CANNOT read from a NULL memory position.
######################################################################
===========
3) The Code
===========
The tool for test the problem is the same of my Edonkey/Overnet DoS I
have released some days ago.
I have written this tool for exploit both the Edonkey and Emule bugs
and it can be compiled on Win and Unix too:
http://www.pivx.com/luigi/poc/eddos.zip
(Use: eddos -n 2 hostname
if the second connection goes in timeout or is refused, the remote
host is crashed)
If you don't wanna use my tool, simply connect to a Emule client at
port 4662 (default port) and send the following bytes (remember to
convert this C string in bytes 8-):
"\xE3\x24\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\xE3\x03\x00\x00\x00\x4E\x00\x00"
######################################################################
======
4) Fix
======
Version 0.27c resolve the problem.
######################################################################
=============
5) Philosophy
=============
I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!
######################################################################
====================
About PivX Solutions
====================
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments
(http://www.pivx.com/sf.html).
For more information go to http://www.PivX.com
######################################################################
Any type of feedback is really welcome!
Byez
---
PivX Bug Researcher
http://www.pivx.com/luigi/
