Baidu Hi IM software parsing plaintext stack overflow
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Baidu Hi IM software parsing plaintext stack overflow
- From: "Li Gen" <superligen@xxxxxxxxx>
- Date: Sat, 13 Sep 2008 17:05:26 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=bU2+nrVXsfRAntKJrjv7u2ne38tBgS092fCm4/3gRU8=; b=vUncqWjYOBnOTpfnjIydDQqu0W6JAcZW0kM3eJK3fCRIBK7m3VfsgBbOarVfh26mdA YeTgEE9d2qjKQc+zu9nuHBzelrKufyPiDSD6u4Uxk9ploqwG6HVmJQwAyjOZx5epwrHK dwLgl1xT7HRijUW8txszM7GV1ZRKs79FmT9co=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=iFIsa0vj7P6ef7hcGu961W5P0VmZhdLAUm2jRSL0q4YuEXXUxa08mk+xM10B+Dzepx pPBKjh7kUzW6l9RBSo8rFBV/PQt5PRHwKdfcbQVBSsAaPP1CGw+sQ70wKE3d6dSJTtbZ ykG66WkFj4X4eRK3QPLnteP3+oRIEORlPDmqE=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Baidu Hi IM software parsing plaintext stack overflow
-- CVE ID:
Not assigned
-- Affected Vendors:
Baidu
-- Affected Products:
Baidu Hi IM software
-- Vulnerability Details:
Our automatic bug exploiting tools have found a buffer overflow bug in
Baidu Hi IM software which is a popular IM software in China.
This bug is due to Baidu Hi do not strictly check the deciphered
plaintext format in CSTransfer.dll.
Because of encryption mechanism of Baidu Hi, it is hard to generate
the proper malicious packet, but not say it's impossible. A proper
malicious packet can cause client system full controlled.
-- Vendor Response:
I contacted with Baidu a month ago, no any response from Baidu.
-- Credit:
This vulnerability was discovered by:
Gen LI & Jun MA & Ying Zhang
More Detail :
(CSTransfer.dll)
esi
+---------------------+ |
| | \|/
| Malicious input | _______________________________
| ...........> | | | | | | | | |
+---------------------+ |R | |4 |0 | |\r |\n | .... |
|__|__|__|__|__|___|___|_______|
/|\
|
ebp
+---------------------+
| |
| Correct content |
______________________________________________________
| ...........> | | | | | | | | |
| | | | | | |
+---------------------+ | c| m | | 1| . |0 | |R |
|4 |0 | |\r |\n | .... |
loc_10007880:
|__|___|_|__|___|__|___|__|__|__|__|__|___|___|_______|
mov al, [esi-1] /|\ /|\
dec esi | |
cmp al, 20h ebp esi
jnz short loc_10007890
|
+-------+ |---------------------.
| | | |
| \|/ \|/ |
| loc_10007888: |
| mov al, [esi-1] |
| dec esi |
| cmp al, 20h |
| jz short loc_10007888 |
| | | |
|-----------+ | +----------------|
| |
\|/ \|/
loc_10007890:
push 20h
esi edi
push ebp +---------------------+
| |
inc esi | |
\|/ \|/
call ds:strchr | Malicious input |
____________ _______________________________
mov edi, eax ---------> | ...>|
| | | | | | | | |
+---------------------+
|heap struct |R | |4 |0 | |\r |\n | .... |
...........
|____________|__|__|__|__|__|___|___|_______|
/|\
loc_100078EA:
|
sub esi, edi ;esi will be a negative number
ebp
cmp esi, 1Eh
jg loc_100079FD
push esi ; size_t ;esi will be a negative number
lea edx, [esp+44h+var_24]
push edi ; char *
push edx ; char *
call ds:strncpy ; cause buffer overflow