Buffer overflow in MSN Messenger 6.0

From: Bahaa Naamneh (b_naamneh_at_hotmail.com)
Date: 07/19/03

  • Next message: Russ: "RE: [LSD] Critical security vulnerability in Microsoft Operating Systems"
    Date: 19 Jul 2003 11:42:26 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    ##########################################################################

    Application: MSN Messenger 6.0
                 http://www.msnmessenger-download.com/Preview/
    Affected Versions: MSN Messenger 6.0 biuld 6.0.0501 and prior
    Bug: Buffer overflow in msnmsgr.exe
                 (In the small viewer box that show the sending file
                 before accepting it).
    Author: Bahaa Naamneh
                 e-mail: b_naamneh@hotmail.com

    ##########################################################################
     
    =============
    Introduction:
    =============
    MSN Messenger is one of the most famous messengers, due to the interesting
    services that it offer.
    the version 6.0 appear with many services, one of this services is
    the small viewer box that show the icon of the sending file before getting
    it,if the sending file
    is picture this box show the picture itself not the icon before getting it.
    picture of the viewer box
    (http://members.lycos.co.uk/bnsecurity/msn/msn01.JPG)

    ==========================
    The bug (buffer overflow):
    ==========================
    Sending "uncompleted pictures" cause a buffer overflow.

    "Uncompleted pictures": I don't know if this phrase is correct, anyway
    I mean by this phrase the pictures that we didn't received it completely.
    Sometimes while we receiving picture from any person the connection failed
    or something happen that cause of nonbeing receiving the whole pictures
    but although that we still can open it but it appear two parts the first
    part is the receiving part and the second part appear with dark color.
    picture of "Uncompleted pictures":
    (http://members.lycos.co.uk/bnsecurity/msn/msn03.JPG).

    You can download "uncompleted picture" from this link.
    http://members.lycos.co.uk/bnsecurity/01/
    (disable any downloading programs like getright or DAP ... if u use)

    when u send "uncompleted picture" via messenger 6.0 the small viewer will
    lose the default size that it programmed to be.
    http://members.lycos.co.uk/bnsecurity/msn/msn03.JPG

    So sending the "uncompleted picture" will cause of Buffer overflow and
    Messenger will crash.
    http://members.lycos.co.uk/bnsecurity/msn/msn04.JPG

    =================
    Vendor Response:
    =================
    Contacted. The bug have already fixed in build 6.0.0602

    Microsoft Response: "...We suspect that we have already fixed this bug as
    early as build 501 as
    your report is very similar to a bug that was resolved with that build—but
    we would like your
    assistance to verify this. ..."

    ========
    Exploit:
    ========
    I'm trying to make an exploit in "visual basic"!!!.
    You can download the "uncompleted picture" from this link:
    http://members.lycos.co.uk/bnsecurity/01/
    and test it by sending it via the messenger 6.0

    ##########################################################################

    ..Sorry for my poor english


  • Next message: Russ: "RE: [LSD] Critical security vulnerability in Microsoft Operating Systems"

    Relevant Pages

    • [NT] Buffer Overflow in MSN Messenger
      ... Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada. ... MSN Messenger is "one of the most famous messengers, ... receiving/sending it (Whenever the file being received is a picture). ...
      (Securiteam)
    • Re: Explorer bug
      ... > which version of MSN Messenger are you using? ... > ssg MS-MVP ... > Herman Toothrot wrote: ... >> picture or use my own emoticons, ...
      (microsoft.public.windowsxp.general)
    • Re: Explorer bug
      ... Herman Toothrot wrote: ... > to my last norton ghost image. ... Whenever I use MSN Messenger and try to change my ... > picture or use my own emoticons, ...
      (microsoft.public.windowsxp.general)
    • Re: Explorer bug
      ... > which version of MSN Messenger are you using? ... I scanned my computer with AVG and ... >> picture or use my own emoticons, ...
      (microsoft.public.windowsxp.general)
    • Re: LaVonna
      ... ya never saw a picture of Jimmy Spencer with his shirt off did ya? ... awkward being on the receiving end. ... let the kids know that it's NOT ok to treat another human being like that. ... Life rawks ...
      (rec.autos.sport.nascar)