what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

gg-adv.txt

gg-adv.txt
Posted Dec 30, 2004
Authored by Blazej Miga, Jaroslaw Sajko | Site man.poznan.pl

Several vulnerabilities were discovered ranging from heap, stack, and integer overflows and directory traversals in the Gadu-Gadu instant messenger tool.

tags | advisory, overflow, vulnerability
SHA-256 | 01c9cbdf64e7eccd703c827426553c1f2a768bebef8d6749ada3ef2512415c7b

gg-adv.txt

Change Mirror Download

Product: Gadu-Gadu,
most of all available versions (including the latest one)
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Several vulnerabilities within application allow for
remote execution of arbitrary code and information
stealing
Severity: Critical
Authors: Blazej Miga <bla@man.poznan.pl>,
Jaroslaw Sajko <sloik@man.poznan.pl>
Advisory: http://www.man.poznan.pl/~security/gg-adv.txt


[ISSUE]

Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.

Several vulnerabilities were discovered ranging from heap and stack
overflows, integer overflows and directory traversal to incorrect
filtering of html script code. These vulnerabilities can lead to remote
execution of arbitrary code, stealing of user data (contact list,
password, etc...) or application crash.

All of these vulnerabilities can be exploited on a default configuration
of Gadu-Gadu application.


[DETAILS]

Bug 1.
There is a parsing error in the code portion responsible for the analysis
of 'http:' and 'news:' hrefs embedded in sent messages. This bug can be
exploited to inject '<a>' tag with code or a reference to it into HTML
code displayed by the application.. The attacker can send malicious code
or reference to a file with code (see Feature 0 described below). If
properly exploited, code will be executed when the window with message
pops up. Code will execute in LOCAL ZONE!

Bug 2.
Some strange kind of feature. Gadu-gadu client allows users to connect to
the server via http proxy, but beacause there is no server authentication
any proxy server can send any packet. This combined with a Feature 1
(described below) allows for the remote code execution for http proxy
administrators or other men in the middle attacks. All WITHOUT user
knowledge!

Bug 3.
Exploitnig the dcc connections feature (Feature 2) and the ctcp packets
(ctcp with special values, 1 as type and 4 as subtype you can get file
from _cache directory of your friend, without his knowledge! But, beacause
there is directory traversal error you can get any file, ie.
'..\Ja\config.dat' where the password is stored. User is NOT notified
about that by gadu-gadu application.

Bug 4.
There is a buffer overflow in the code portion handling sending of images.
This is a stack overflow which can be triggered by a specially crafted
filename. Successfull exploitation can lead to stack frame overwrite and
arbitrary code execution. This bug works with the newest build of the
program.

Bug 4b.
In addition there is also a heap overflow. This bug is probably the same
as the one found by Lord YuP in September this year, but it still works
with the newest program build!

Bug 5.
There is some kind of bug while reading the config file. Even if the
"image send" option is disabled (by default it is) you can still send
small images, up to 100 bytes. This bug combined with bug number 4 allows
the attacker to send malicious packet with arbitrary code to any user who
have the attacker's uin on his contact list (even to the users who have
"image send" option disabled).

Bug 6.
Another vulnerability related to image sending rely on fact that image can
be divided into packets and sent one by one, but code responsible for
assembling files do the strange comparision. If the length of received
data is not equal to the expected length of file to receive, the receive
loop is not terminated. Attacker has full control over the length values
as they are retrieved directly from the received packets. So there is
another heap overflow, maybe this is that bug which Lord YuP found, who
knows, but beacause the file can be long, there is a lot of space for the
shellcode. This bug works with the newest version.

Bug 7.
There is also an integer overflow vulnerability which can be triggered in
a code portion responsible for the file receival through dcc. It is caused
by the fact that file length is fetched directly from the user packet and
it is compared to some maxlen value with use of "JLE instruction". Because
this time file is written block by block this bug can lead only (according
to our knowledge) to filling up the diskspace with unknown data from
memory or to writing small unknown part of memory (which can be further
fetched with bug number 3). Again, all data about lengths come from
sender packets.


Feature 0.
When filename parser meets '.' or '/' whithin filename it purges it, but
it does not do so when it meets '/' (which stands for '/') or '.'
(which stands for '.').

Feature 1.
The server can send specially crafted packet to a client with a dll file
inside it and the client will execute certain function from that library,
without user knowledge.

Feature 2.
When p2p connectinos are enabled, one side of a connection can ask the
other one to connect to a given ip and port. This can be also exploited
without user knowledge.


[POC]

Although we have working (win2k, winxpsp1, winxpsp2) proof of concept
codes for all of the reported issues we are not going to publish them
until proper patches will be released by the vendor.


[WORKAROUND]

Due to nature of these bugs there is no workaround for Gadu-Gadu users at
this time. The risk can be minimized by disabling dcc connections, purging
your contact list, not connecting through http proxies and by not clicking
on messages from strangers.


[SUMMARY]

Vendor has been informed about these bugs. Have a nice day.


Copyright 2004 Blazej Miga, Jaroslaw Sajko. All rights reserved.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close