Gadu-Gadu (all versions with image-send feature) Heap Overflow
Sec-Labs Team proudly presents:
Gadu-Gadu (all versions with image-send feature) Heap Overflow
by Lord YuP
12/09/2004
Severity: High / Critical - Remote Code Execution
Version affected: Probably all versions with image-send feature
Tested on ver. 6.0 build 149 (the newest one
released two days before)
I. BACKGROUND
Gadu-Gadu is the most popular polish communicator created by
sms-express corporation (http://www.gadu-gadu.pl).
It has been proved that Gadu-Gadu is used by few millions
of users around the World (mainly Poland).
II. DESCRIPTION
Vulnerability takes place in image sending feature.
Look at following protocol schema:
(http://dev.null.pl/ekg/docs/protocol.html)
1) ATTACKER (must be in contact list) sends specially
crafted GG_SEND_MSG packet, the packet informs
target that image is on a way.
2) If everything went ok TARGET replies with included
GG_MSG_IMAGE_REQUEST structure.
3) ATTACKER sends specially crafted GG_MSG_IMAGE_REPLY
(checksum value in this structure must be of course
the same as in structure from point one)
With this message it is possible to make
Gadu-Gadu overwrite arbitrary heap memory and
cause access violation exception in RtlAllocateHeap
(function exported by NTDLL library).
Here comes the debugger output (w2k-sp3):
(62c.4a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=58585858 ebx=00000082 ecx=65656565 edx=010975e8 esi=010975e8
edi=01070000
eip=77fcb3f5 esp=0012e5a4 ebp=0012e73c iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
ntdll!RtlAllocateHeap+0x27d:
77fcb3f5 8901 mov [ecx],eax
ds:0023:65656565=????????
Stack unwind for this one:
ChildEBP RetAddr
0012fd88 0044fd31 ntdll!RtlAllocateHeap+0x27d
0012fdc4 0044fd53 gg+0x4fd31
0012fe2c 0045fd0d gg+0x4fd53
00000000 00000000 gg+0x5fd0d
Those instructions (from ntdll!RtlAllocateHeap):
77fcb3f5 8901 mov [ecx],eax
ds:0023:65656565=????????
77fcb3f7 894804 mov [eax+0x4],ecx
allow attacker to write arbitrary dword value to any address (since
attacker
fully controls EAX and ECX registers). Exploitation of such cases was many
times
described in security related documents. It has been noticed that using
different packet variations it is possible to overwrite different
registers.
III. IMPACT
This vulnerability after successful remote exploitation can allow the
attacker to run arbitrary code in context of current user.
Of course if the exploitation was not successful target client will fault.
Following sample screen has been made (just after remote attack):
- http://sec-labs.hack.pl/screenshots/gg-s1.jpg
- http://sec-labs.hack.pl/screenshots/gg-s2.jpg
IV. POC CODE
Sec-labs team is not going to release POC code for this issue.
We are not supporting kiddies any more.
V. BONUS
It's just a little document which describes how to exploit similiar
vulnerability (heap overflow condition) in MSRPC:
- Exploiting the MSRPC Heap Overflow by Dave Aitel
(http://www.immunitysec.com/downloads/msrpcheap.pdf)
(http://www.immunitysec.com/downloads/msrpcheap2.pdf)
--
Sec-Labs Team [http://sec-labs.hack.pl]