lunes, diciembre 29, 2008

PSI remote integer overflow

I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.

Then I fuzz this service and found a nice DoS.

A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.

I have reported it to the coders, and then they give me the ok to launch the advisory:

advisory
exploit

Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)

code has bugs ;)

3 comentarios:

xorl dijo...

I don't think that this is just a DoS. I believe it is exploitable, if you can control even a small chunk of data passed to memcpy() then it's definitely exploitable.
I haven't checked it in detail but I found it a little bit weird to have this kind of control over a memcpy() and the 'best' attack could result just a DoS.
I might be wrong though.

Jesús dijo...

Hi xorl,

you can cotrol the data to be copied by the memcpy, and also yout can say the amount of bytes to copy.

but, the destination buffer, is resized to the same amount of bytes to be copied.

Then there is not a heap overflow, unless the c++ resize implementation allocate less space that should.

Dreg dijo...

mola tio :-)