Baidu Hi IM client software DoS bug, div zero make client crash

Type securityvulns
Reporter Securityvulns
Modified 2008-09-16T00:00:00


Baidu Hi IM client software DoS bug, div zero make client crash

-- CVE ID: Not assigned

-- Affected Vendors: Baidu

-- Affected Products: Baidu Hi IM software

-- Vulnerability Details:

Our automatic bug exploiting tools have found a DoS bug in Baidu Hi IM client which is a popular IM software in China. This bug is due to Baidu Hi client do not strictly check the login response packet's content from server in NetSevice.dll, malicious input can cause client crash by div zero exception .

-- Vendor Response: I contacted with Baidu a month ago, no any response from Baidu.

-- Credit: This vulnerability was discovered by: Gen LI & Jun MA & Ying Zhang

More Detail : (NetService.dll)

.text:1001FDB4 mov eax, [ebp+arg_C] .text:1001FDB7 sar esi, 3 .text:1001FDBA cdq .text:1001FDBB idiv esi ; cause div zero exception, and make client crash

let login response packet is an array : a[]

esi is from : tmp1= a[0x29] + (a[0x2a]<<8) + (a[0x2b]<<0x10) + (a[0x2c]<<0x18) ; when eip=0x100202ca tmp2= a[0x2d] + (a[0x2e]<<8) + (a[0x2f]<<0x10) + (a[0x30]<<0x18) ; when eip=0x100202ca tmp3= a[0x2b]+(a[0x2c]<<8) + (a[0x2d]<<0x10) + (a[0x2e]<<0x18) ; when eip=0x1001ef2f tmp4 = (tmp3<0) ? 0xffffffff:0 ; when eip= 0x1001fdac

tmp5 = tmp4 & 0x7; when eip = 0x1001fdad tmp6 = tmp3+tmp5; when eip = 0x1001fdb0 esi = tmp6>>3; when eip = 0x1001fdb7

if malicious input is proper, client will crash.