The Palace 3.x (Client) Stack Overflow Vulnerability #################################################### Credit: Author : Peter Winter-Smith Software: Packages : The Palace 3.5 (Client) Version : 3.5 and below Vendor : 'Copyright © 1996-2000 Communities.com' Vendor Url : http://www.thepalace.com/ Vulnerability: Bug Type : Stack-based Buffer Overflow Severity : Highly Critical + Remote Code Execution 1. Description of Software "The Palace is the FREE graphical chat. Create and wear your own picture (avatar). Build your very own chat server." - Vendors Website 2. Bug Information (a). Stack-based Buffer Overflow When using the Palace chat software, it is immediately obvious that the most common and efficient method of allowing users to join a specific chat server is to construct a special hyperlink which will automatically load the application and cause it to connect to the specified location. These hyperlinks are constructed as follows: palace://some.machine:9998/ The port may be omitted from the url if the server is running on the default port 9998/tcp. There exists a stack-based buffer overflow condition which can be caused to take effect when a user of the Palace chat software visits a link similar to the following: palace://('a'x118)('BBBB')('XXXX') In the above url, a saved base pointer is overwritten with 42424242h, and a saved return address is overwritten with 58585858h (i). Part of the Vulnerable Code >From a quick look at the Palace chat application, it is evident that the overflow is the result of a dangerous call to 'wsprintfA'. The saved return address which is overwritten is placed on the stack by an instruction found at 004081D7: 004081D7 |. E8 1DA4FFFF CALL Palace32.004025F9 004081DC |. 59 POP ECX ... 004025F9 $ E9 9CC00000 JMP Palace32.0040E69A Within the procedure beginning at 0040E69A, at offset 0040E745 the address of wsprintfA is loaded into the esi register. At 0040E78A a buffer of 84h (132 bytes) is designated to hold the formatted output from calling wsprintfA (the actual formatting string being used is "Connecting to %s:%d"). Then, at 0040E792 the fatal call is made! 0040E745 |. 8B35 ACC04900 MOV ESI,DWORD PTR DS:[<&USER32.wsprintfA>] ... 0040E78A |. 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84] 0040E790 |. 53 PUSH EBX 0040E791 |. 50 PUSH EAX 0040E792 |. FFD6 CALL ESI If an overly long server address was specified in the url (as the '%s' formatting argument), the 132 byte buffer is overflowed and the saved return address from 004081D7 is completely overwritten! When the function returns, at line 0040E7FA, code execution resumes from an arbitrary address which an attacker can supply! 0040E7F7 |> 5F POP EDI 0040E7F8 |. 5E POP ESI 0040E7F9 |. C9 LEAVE 0040E7FA \. C3 RETN 3. Proof of Concept Code The nature of this flaw allows exploitation to take place from simply viewing a specially crafted web-page! Below is such a page that will cause an access violation when attempting to execute code located at 58585858h! Since I am getting a little bored of actually writing exploit code, the exploitation of this flaw is left as an exercise to the reader! ------------------------------[badpage.html]------------------------------ -------------------------------------------------------------------------- Please remove any line-breaks which occur during the re-formatting of the overly long server address string by my email client otherwise the crash will probably not go as planned! 4. Patches - Workarounds None as of 07/02/2004. 5. Credits The discovery, analysis and exploitation of this flaw is a result of research carried out by Peter Winter-Smith. I would ask that you do not regard any of the analysis to be 'set in stone', and that if investigating this flaw you back trace the steps detailed earlier for yourself. Greets and thanks to: David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick k., Joel J. and Martine. 6. Extras! (a). Quick Question I have a quick question for all those who actually read my advisories: Does the analysis of the vulnerable code within the applications that I find bugs in help anyone at all? I would be interested to know if you consider these a worthwhile addition, or a waste of space! Email me: peter4020@hotmail.com and let me know what you think :-) (b). Fun Challenge If you need something to do during your coffee breaks, try and crack this extremely simple yet interesting encryption routine which I have designed! It's very basic, and does not require any advanced mathematical knowledge to crack. A couple of encrypted strings are below: 'wdle lo emyduksaec eoah vt mrec eo enadrlaey' 'b! mhtnrfglaindinptrwni eterc y'too luokiahtse!' Hints: - Remove the single quotes before starting! - Spacing is important! - 'able was i ere i saw elba' is exactly the same decrypted as it is encrypted! o This document should be mirrored at: http://www.elitehaven.net/thepalace.txt _________________________________________________________________ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband