Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12405
HistoryApr 25, 2006 - 12:00 a.m.

Winny Remote Buffer Overflow Vulnerability

2006-04-2500:00:00
vulners.com
9

Winny Remote Buffer Overflow Vulnerability

Release Date:
April 21, 2006

Date Reported:
March 22, 2006

Patch Development Time (In Days):

Severity:
High (Remote Code Execution)

Systems Affected:
Winny version 2.0 b7.1 and before

Systems Affected:
Windows NT 4.0
Windows 98 / ME
Windows 2000
Windows XP
Windows 2003

Overview:
eEye Digital Security has discovered a critical vulnerability in Winny, a very popular Japanese P2P application. This vulnerability may allow a remote attacker to overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the Winny.

Technical Details:
This vulnerability exists in the handling of specific commands provided by the file transfer port. We chose not to provide detailed information about the location of the vulnerability and how to reproduce it because the author has declined to provide a fix (See "Vulnerability History" below). This vulnerability exists within a strcpy(). We can pass a long string argument with some commands into a heap buffer. There is no checking of the length of this input. Depending on the input, this strcpy() will cause one of the following exploitable conditions:

(1) 0052290A mov dword ptr [edx],eax ; We can control both of EDX and EAX
(2) 00406011 call dword ptr [ebx+0ch] ; We can control EBX

In both cases, we confirmed the ability to execute our own code. This is a common heap overflow vulnerability and can be exploited easily.

Vulnerability History:

3/22/2006: IPA notified of this vulnerability. (Information-technology Promotion Agency. http://www.ipa.go.jp/index-e.html)
4/11/2006: IPA responds to our notice. The author of Winny insists that code execution is impossible. We choose to continue to work with the IPA and send additional detailed information about this heap overflow and how heap overflows are exploited.
4/16/2006: The IPA responds to our information. Due to other circumstances, the author cannot fix this vulnerability.
4/21/2006: The IPA publishes this information on their website.
4/21/2006: eEye publishes this advisory.

Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink Endpoint Intrusion Prevention - preemptively protects from this vulnerability.

Vendor Status:
JVN#74294680
http://jvn.jp/jp/JVN%2374294680/index.html

Credit:
Discovery: Yuji Ukai
Additional Research: Ryoji Kanai

Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial

Greetings:
K.Takeda, Kameyama Shachu, IPA and JP/CERTCC

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email [email protected] for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.