<<< Date Index >>>     <<< Thread Index >>>

Baidu Hi IM client software DoS bug, div zero make client crash



Baidu Hi IM client software DoS bug, div zero make client crash

-- CVE ID:
Not assigned

-- Affected Vendors:
Baidu

-- Affected Products:
Baidu Hi IM software

-- Vulnerability Details:

Our automatic bug exploiting tools have found a DoS bug in Baidu Hi IM
client which is a popular IM software in China.
This bug is due to Baidu Hi client do not strictly check the login
response packet's content from server in NetSevice.dll, malicious
input can cause client crash by div zero exception .

-- Vendor Response:
I contacted with Baidu a month ago, no any response from Baidu.

-- Credit:
This vulnerability was discovered by:
 Gen LI & Jun MA & Ying Zhang

More Detail :
(NetService.dll)


.text:1001FDB4 mov     eax, [ebp+arg_C]
.text:1001FDB7 sar     esi, 3
.text:1001FDBA cdq
.text:1001FDBB idiv    esi   ; cause div zero exception, and make client crash

let login response packet is an array : a[]

esi is from :
tmp1= a[0x29] + (a[0x2a]<<8) + (a[0x2b]<<0x10) + (a[0x2c]<<0x18) ;
when eip=0x100202ca
tmp2= a[0x2d] + (a[0x2e]<<8) + (a[0x2f]<<0x10) + (a[0x30]<<0x18) ;
when eip=0x100202ca
tmp3= a[0x2b]+(a[0x2c]<<8) + (a[0x2d]<<0x10) + (a[0x2e]<<0x18) ; when
eip=0x1001ef2f
tmp4 = (tmp3<0) ? 0xffffffff:0 ; when eip= 0x1001fdac

tmp5 = tmp4 & 0x7; when eip = 0x1001fdad
tmp6 = tmp3+tmp5; when eip = 0x1001fdb0
esi = tmp6>>3; when eip = 0x1001fdb7

if malicious input is proper, client will crash.