The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
DC++ bzip2 Decompression Routine DoS
------------------------------------------------------------------------
SUMMARY
<http://dcplusplus.sourceforge.net/> DC++ is "an open source client for
the Direct Connect protocol". A vulnerability in the way DC++ decompresses
incoming file lists allows remote attackers to cause the program to crash
by sending it a very small file that once it is decompressed by DC++ it
will inflate to a very large file.
DETAILS
Vulnerable Systems:
* DC++ version 0.674
Newer versions of DC++ uses bzip2 for filelist compression to save
bandwith. You can compress some large file with bzip2 (for example 1gb
file only consisting of zeros compresses to ~750 bytes), then replace this
file with your filelist, and when someone downloads your filelist
his/her's client is going to try to decompress our evil filelist and
crashes or hangs up and hogs a lot of resources.
Proof of Concept:
1. Download DC++,
<http://www.sysinternals.com/Utilities/ProcessExplorer.html> Process
Explorer, and evil filelist <http://www.critical.lt/research/dc.zip>
http://www.critical.lt/research/dc.zip
2. Fire up DC++ , connect to some server, wait for someone to try to
download your filelist or something from you (so that DC++ would open a
handle to your original filelist and wouldn't try to overwrite it later )
3. Open Process Explorer press Find Handle , enter "files.xml.bz2", right
click on the handle that it found, press close handle, and replace your
filelist with the ours evil one. Now when someone is going to download
your filelist, their DC++ will crash.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mircia@critical.lt> mircia.
The original article can be found at:
<http://www.critical.lt/?vulnerabilities/22>
http://www.critical.lt/?vulnerabilities/22
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment