[NT] Ares FileShare Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 08/14/05

  • Next message: SecuriTeam: "[TOOL] Windows TCP/IP Stack Hardening Tool" 
    To: list@securiteam.com
Date: 14 Aug 2005 17:44:45 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Ares FileShare Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.aresfileshare.com/> Ares Fileshare is "a P2P application that
    supports connecting to several P2P networks eg, Gnutella and OpenFT".

    A buffer overflow vulnerability has been discovered in Ares FileShare
    software. The buffer overflow can be triggered whenever the program
    initiates a search containing an arbitrarily long string.

    DETAILS

    Vulnerable Systems:
     * Ares FileShare version 1.1

    Exploitation of a buffer overflow vulnerability in Ares FileShare could
    allow execution of arbitrary code. A specially crafted .conf file
    (ares.conf - configuration file of Ares FileShare) containing long
    searched strings history information or entering a long string for Search
    can cause Ares FileShare to overwrite stack space. No checks are made on
    the length of data being copied, When a string data is longer than 1065
    bytes (1066 or longer), allowing the return address on the stack to be
    overwritten (in UNICODE).

    Successful exploitation allows remote and local attackers to execute
    arbitrary code in the context of the target user that opened the malicious
    configuration file or entering specially crafted search data. After this
    when user starts Ares FileShare program and selects this malicious entry
    from Search Listbox, buffer overflow occurs.

    An example malicious ares.conf file is that contains long search history
    data:
    history = AAAAA.....[ A x 1065 bytes (where the EIP starts in UNICODE)
    ]AA...\r\n

    The data that is written onto the stack is in the form: 0x00410041

    41s in hexadecimal = 'A's are controlled by the input. While this tends to
    make exploitation more difficult, it does not prevent it, as it may be
    possible for an attacker to cause controlled data to be put into a memory
    location matching the required format.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kozan@spyinstructors.com>
    kozan.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Windows TCP/IP Stack Hardening Tool"

    Relevant Pages