[NEWS] eMule / Lmule / xMule Multiple Remote Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/03

  • Next message: SecuriTeam: "[REVS] Intrusion Agent - The Next Generation of Spy"
    To: list@securiteam.com
    Date: 18 Aug 2003 13:50:17 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      eMule / Lmule / xMule Multiple Remote Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    eMule and its UNIX ports "are the most famous files haring clients which
    are based on the eDonkey2000 network. It is estimated that about the user
    count reaches from 1 million to even 10 million p2p clients (according to
    an mldonkey statistic). With such a large user base eMule is not only a
    thorn in the side of the music and movie industry but also an attractive
    target for script kids or worm writers".

    Indeed auditing the source code revealed vulnerabilities which can be
    abused to disturb the eMule network or to takeover other client machines.

    DETAILS

    Vulnerable Systems:
     * eMule version 0.29c and prior
     * xMule version 1.4.3 and prior
     * xMule version 1.5.6a and prior
     * Lmule version 1.3.1 and prior

    The eMule source code is object oriented which makes security auditing
    from Stefan's point of view a lot harder because the flow of execution is
    not obvious and it is first needed to get a general overview of the
    objects and their dependencies. While auditing the source code following
    bugs where discovered:

    OP_SERVERMESSAGE Format String Vulnerability
     * eMule version 0.29a and prior
     * xMule version 1.4.3 and prior
     * xMule version 1.5.4 and prior
     * Lmule version 1.3.1 and prior

    When the client receives a message from the server, it passes this message
    to a function that expects a format string argument. This could be used by
    a malicious server to crash or takeover the connected client system.

    OP_SERVERIDENT Heap Overflow
     * eMule version 0.29a and prior
     * xMule version 1.4.3 and prior
     * xMule version 1.5.4 and prior
     * Lmule version 1.3.1 and prior

    When receiving a serverident packet from the server it is parsed in an
    unsafe manner that could lead to an exploitable heap overflow. Again, this
    allows a malicious server to crash or takeover the connected client.

    Servername Format String Vulnerabilities
     * eMule version 0.29c and prior
     * xMule version 1.4.2 and prior
     * xMule version 1.5.5 and prior
     * Lmule version 1.3.1 and prior

    Several ways of adding a server with a name that contains format string
    specifiers could crash the client. Remote code execution through this bug
    is unlikely because only very short servernames are accepted.

    AttachToAlreadyKnown Object Destruction Vulnerability
     * eMule version 0.29c and prior
     * xMule version 1.4.2 and prior
     * xMule version 1.5.6a and prior
     * Lmule version 1.3.1 and prior

    When the client receives a special sequence of packets an error situation
    can be triggered where the currently used client object is deleted. This
    is similar to an ordinary double free vulnerability with the exception
    that here a whole object is mistakenly freed and still used.

    Because this hole was proved to be exploitable (remote code execution) and
    the same packets are completely legal for other clients (no IDS signature
    can be created anyway), Stefan is not going into details how to trigger
    the bug. There are just too many vulnerable systems out there.

    Vendor Status:
     * eMule Vendor has released a bug fixed version.
     * No solution for Lmule, because it is no longer supported.
     * At the moment there is no solution for xMule.

    ADDITIONAL INFORMATION

    The original advisory can be found at:
    <http://security.e-matters.de/advisories/022003.html>
    http://security.e-matters.de/advisories/022003.html.

    The information has been provided by <mailto:s.esser@e-matters.de> Stefan
    Esser

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[REVS] Intrusion Agent - The Next Generation of Spy"

    Relevant Pages

    • [NEWS] Quake 3 Infostring DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... United Offensive version 1.51 and prior ... void showinfo; ... int main{ ...
      (Securiteam)
    • [UNIX]Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Cross-Site Scripting Filter Evasion in Various Frameworks / Applications ... Popoon/Flux-CMS version r22196 and prior ...
      (Securiteam)
    • [NEWS] Quake 3 Engine Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... United Offensive version 1.5.1 and prior ... * Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior ... If an attacker joins a server and sends a too big message any client in ...
      (Securiteam)
    • [NEWS] PunkBuster for Servers WebTool Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PunkBuster for Servers WebTool Buffer Overflow ... PunkBuster for servers version 1.228 and prior ...
      (Securiteam)