Gadu-Gadu several vulnerabilities
Product: Gadu-Gadu,
most of all available versions (including the latest one)
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Several vulnerabilities within application allow for
remote execution of arbitrary code and information
stealing
Severity: Critical
Authors: Blazej Miga <bla@xxxxxxxxxxxxx>,
Jaroslaw Sajko <sloik@xxxxxxxxxxxxx>
Advisory: http://www.man.poznan.pl/~security/gg-adv.txt
[ISSUE]
Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.
Several vulnerabilities were discovered ranging from heap and stack
overflows, integer overflows and directory traversal to incorrect
filtering of html script code. These vulnerabilities can lead to remote
execution of arbitrary code, stealing of user data (contact list,
password, etc...) or application crash.
All of these vulnerabilities can be exploited on a default configuration
of Gadu-Gadu application.
[DETAILS]
Bug 1.
There is a parsing error in the code portion responsible for the analysis
of 'http:' and 'news:' hrefs embedded in sent messages. This bug can be
exploited to inject '<a>' tag with code or a reference to it into HTML
code displayed by the application.. The attacker can send malicious code
or reference to a file with code (see Feature 0 described below). If
properly exploited, code will be executed when the window with message
pops up. Code will execute in LOCAL ZONE!
Bug 2.
Some strange kind of feature. Gadu-gadu client allows users to connect to
the server via http proxy, but beacause there is no server authentication
any proxy server can send any packet. This combined with a Feature 1
(described below) allows for the remote code execution for http proxy
administrators or other men in the middle attacks. All WITHOUT user
knowledge!
Bug 3.
Exploitnig the dcc connections feature (Feature 2) and the ctcp packets
(ctcp with special values, 1 as type and 4 as subtype you can get file
from _cache directory of your friend, without his knowledge! But, beacause
there is directory traversal error you can get any file, ie.
'..\Ja\config.dat' where the password is stored. User is NOT notified
about that by gadu-gadu application.
Bug 4.
There is a buffer overflow in the code portion handling sending of images.
This is a stack overflow which can be triggered by a specially crafted
filename. Successfull exploitation can lead to stack frame overwrite and
arbitrary code execution. This bug works with the newest build of the
program.
Bug 4b.
In addition there is also a heap overflow. This bug is probably the same
as the one found by Lord YuP in September this year, but it still works
with the newest program build!
Bug 5.
There is some kind of bug while reading the config file. Even if the
"image send" option is disabled (by default it is) you can still send
small images, up to 100 bytes. This bug combined with bug number 4 allows
the attacker to send malicious packet with arbitrary code to any user who
have the attacker's uin on his contact list (even to the users who have
"image send" option disabled).
Bug 6.
Another vulnerability related to image sending rely on fact that image can
be divided into packets and sent one by one, but code responsible for
assembling files do the strange comparision. If the length of received
data is not equal to the expected length of file to receive, the receive
loop is not terminated. Attacker has full control over the length values
as they are retrieved directly from the received packets. So there is
another heap overflow, maybe this is that bug which Lord YuP found, who
knows, but beacause the file can be long, there is a lot of space for the
shellcode. This bug works with the newest version.
Bug 7.
There is also an integer overflow vulnerability which can be triggered in
a code portion responsible for the file receival through dcc. It is caused
by the fact that file length is fetched directly from the user packet and
it is compared to some maxlen value with use of "JLE instruction". Because
this time file is written block by block this bug can lead only (according
to our knowledge) to filling up the diskspace with unknown data from
memory or to writing small unknown part of memory (which can be further
fetched with bug number 3). Again, all data about lengths come from
sender packets.
Feature 0.
When filename parser meets '.' or '/' whithin filename it purges it, but
it does not do so when it meets '/' (which stands for '/') or '.'
(which stands for '.').
Feature 1.
The server can send specially crafted packet to a client with a dll file
inside it and the client will execute certain function from that library,
without user knowledge.
Feature 2.
When p2p connectinos are enabled, one side of a connection can ask the
other one to connect to a given ip and port. This can be also exploited
without user knowledge.
[POC]
Although we have working (win2k, winxpsp1, winxpsp2) proof of concept
codes for all of the reported issues we are not going to publish them
until proper patches will be released by the vendor.
[WORKAROUND]
Due to nature of these bugs there is no workaround for Gadu-Gadu users at
this time. The risk can be minimized by disabling dcc connections, purging
your contact list, not connecting through http proxies and by not clicking
on messages from strangers.
[SUMMARY]
Vendor has been informed about these bugs. Have a nice day.
Copyright 2004 Blazej Miga, Jaroslaw Sajko. All rights reserved.