[Full-Disclosure] XDICT Buffer OverRun Vulnerability,funny :-)

From: Sowhat . (smaillist_at_gmail.com)
Date: 11/01/04

  • Next message: Hugo van der Kooij: "Re: [SPAM] [Full-Disclosure] Spam sent via spambots?"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Mon, 1 Nov 2004 13:58:36 +0800
    
    

    XDICT Buffer OverRun Vulnerability

    by Sowhat
    DATE:2004.10.26
    CN:http://secway.org/Advisory/Ad20041026CN.txt
    EN:http://secway.org/Advisory/Ad20041026EN.txt

    VENDOR:

    KingSOFT Inc.
    www.kingsoft.com

    AFFECTED:

    XDICT 2002
    XDICT 2003
    XDICT 2004
    XDICT 2005

    BACKGROUD:

    XDICT is a very popular translation Software(CHINESE <==>ENGLISH) of
    CHINA.It is very Useful and Powerful :-)
    More information: www.kingsoft.com

    DESCRIPTION:

    When you open the function of "Screen Fecth"(Fetch the Word From
    Screen),the XDICT will automatically trace your mouse activity and
    return the Translation of the WORD(or SENTENCE) you are pointing to.
    IF there is no corresponding translation founded ,then it will display
    a message like "'JUSTFORTEST' was not founded" .

    The XDICT will trace your mouse's activity and when you are pointing
    to a WORD,the word will be copied to a Buffer,and then try to macth
    its own Dictionary.

    The problem is that they set a wrong Buffer here,and if you are
    pointing to a string longer than 88 'A',the process xdict.exe will
    encounter a Buffer Overrun,and the CPU usage will immediatly increase
    to 100% . Bong ! the system will hang up. You must reboot it.

    According to my friend's test,with WIN2K PRO+ XDICT 2005,the system
    will not hang up.XDICT will firstly close the "Screen Fetch"
    function,and quit itself when the string is longer.

    Exploit:
    open your notepad.exe ,type 88 'A' with no interruption
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    take the "Screen Fecth" ON,move your mouse ,when you are pointing to
    this string ,the system will hangup.

    A specially crafted string may let the attacker to execute arbitrary commands.

    Solution:
    ReConfigure the "Screen Fecth" Mode to use "CTRL+MOUSE".
    Anyway,dont point to a very long string before the pacth is available

    Vendor Respond:
    2004.10.26 Vendor notice
    2004.10.27 The vendor reply that this bug is submited to the TEST department
    NO further reply

    Credit:
    Sowhat
    http://secway.org
    [ITS] Security Research Team

    This is a little but phunny bug :-)
    Thank to MiaoDeYu for his TEST,Thank to all the members of ITS

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Hugo van der Kooij: "Re: [SPAM] [Full-Disclosure] Spam sent via spambots?"