Re: Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations

From: Markus Kern (markus-kern_at_gmx.net)
Date: 01/18/05

  • Next message: idlabs-advisories_at_idefense.com: "[Full-Disclosure] iDEFENSE Security Advisory 01.18.05: Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow"
    Date: Tue, 18 Jan 2005 23:59:51 +0100
    To: "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
    
    

    On Monday, January 17, 2005, 9:40:47 PM Rafel Ivgi, The-Insider <theinsider@012.net.il> wrote:

    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    > Application: Kazaa
    > Vendors: http://www.kazaa.com
    > Versions: kazaa lite k++(probably all others too...)
    > Platforms: Windows
    > Bug: Sig2Dat Protocol Remote Integer Overflow and
    > Denial Of Service by creating files in arbitrary
    > locations
    > Exploitation: Remote With Browser
    > Date: 17 Jan 2005
    > Author: Rafel Ivgi, The-Insider
    > E-Mail: the_insider@mail.com
    > Website: http://theinsider.deep-ice.com

    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    > 1) Introduction
    > 2) Bugs
    > 3) The Code

    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    > ===============
    > 1) Introduction
    > ===============

    > Kazaa is currently the world’s most common P2P file sharing application.
    > When installing Kazaa a new protocol is installed named “sig2dat”.

    This is incorrect. Kazaa itself does not install a handler for the
    'sig2dat' URIs. In fact it doesn't even know about them. The sig2dat
    URIs are created and handled by a third party tool [1] which contains
    the described flaws and happens to be included in the (unofficial)
    Kazaa Lite package.

    The official Kazaa from http://www.kazaa.com does not handle sig2dat
    URIs and is not vulnerable.

    > This protocol contain an integer overflow vulnerability which may cause
    > a crash and may allow remote execution of code. There is another
    > vulnerability in the “File:” parameter which allows creating files in
    > arbitrary locations and committing Denial Of Service.

    [1] sig2dat, http://www.geocities.com/vlaibb/tools.html
        (The design and code of this thing are horrific and there are no
        doubt plenty of other bugs to be found)

    -- 
    Markus Kern
    

  • Next message: idlabs-advisories_at_idefense.com: "[Full-Disclosure] iDEFENSE Security Advisory 01.18.05: Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow"

    Relevant Pages