Baidu Hi IM client software DoS bug, div zero make client crash
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Baidu Hi IM client software DoS bug, div zero make client crash
- From: "Li Gen" <superligen@xxxxxxxxx>
- Date: Sun, 14 Sep 2008 18:59:58 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=HlET4VrX4REksPhnq2Ujd1ydpyEaO71SxPhNt/S+evc=; b=m5o1vv8P+zAP+bsmQckHqElMGwhEkF1DkKnuTiiAE0iSDllGYX3aOeK2UoAT1NYM/x pFqmgBghtbMKqe+4SUDRmBeuoqCXk16CjNCUnvVjewb3q6aJBvAiwvKxWqSaCTVeSVuP qxjN3SnArmI+G9t+3IxmlKgqXqj9XNPDbQpwA=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=ixxcYqIVjzwnjel98Nm5GL7k2o1stiPC51tmHtywvaMy/hAknfdVaHvtOnxgP5CDcd 0xdUU6WZX32ukZ35bBX8Z0VrPXJagEtDRSXWzXXhNG357EGs/l2r7A4uJRrqM0Vmz+dO pCZR31MCCUTtDk9VCU0cOSIqS2UNpbCVUiKxI=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Baidu Hi IM client software DoS bug, div zero make client crash
-- CVE ID:
Not assigned
-- Affected Vendors:
Baidu
-- Affected Products:
Baidu Hi IM software
-- Vulnerability Details:
Our automatic bug exploiting tools have found a DoS bug in Baidu Hi IM
client which is a popular IM software in China.
This bug is due to Baidu Hi client do not strictly check the login
response packet's content from server in NetSevice.dll, malicious
input can cause client crash by div zero exception .
-- Vendor Response:
I contacted with Baidu a month ago, no any response from Baidu.
-- Credit:
This vulnerability was discovered by:
Gen LI & Jun MA & Ying Zhang
More Detail :
(NetService.dll)
.text:1001FDB4 mov eax, [ebp+arg_C]
.text:1001FDB7 sar esi, 3
.text:1001FDBA cdq
.text:1001FDBB idiv esi ; cause div zero exception, and make client crash
let login response packet is an array : a[]
esi is from :
tmp1= a[0x29] + (a[0x2a]<<8) + (a[0x2b]<<0x10) + (a[0x2c]<<0x18) ;
when eip=0x100202ca
tmp2= a[0x2d] + (a[0x2e]<<8) + (a[0x2f]<<0x10) + (a[0x30]<<0x18) ;
when eip=0x100202ca
tmp3= a[0x2b]+(a[0x2c]<<8) + (a[0x2d]<<0x10) + (a[0x2e]<<0x18) ; when
eip=0x1001ef2f
tmp4 = (tmp3<0) ? 0xffffffff:0 ; when eip= 0x1001fdac
tmp5 = tmp4 & 0x7; when eip = 0x1001fdad
tmp6 = tmp3+tmp5; when eip = 0x1001fdb0
esi = tmp6>>3; when eip = 0x1001fdb7
if malicious input is proper, client will crash.