Bugtraq mailing list archives
Multiple Vuln. in Hotfoon.com's Hotfoon4.exe dialer
From: S G Masood <sgmasood () yahoo com>
Date: Sun, 10 Nov 2002 09:58:10 -0800 (PST)
Multiple Vuln. in Hotfoon.com's Hotfoon4.exe dialer Hotfoon.com is a popular provider of PC to Phone, PC to PC Phone,Instant Messaging and Chat services. It's services are accessed by using a client program, Hotfoon4.exe(http://www.hotfoon.com/hotfoon4.exe), which includes the dialer. This is claimed to be the smallest dialer in the world(76.0 KB). But, it does not ensure performance and security. There are multiple vuln. in Hotfoon.com's services. Two of them are: (1) Plaintext Password in Registry: The hotfoon4.exe dialer stores the username and password of a user in plain text in the Registry key - "HKEY_CURRENT_USER\hotfoon2". This is pathetic. If the password had to be stored in the registry, a substitution cipher could be used at the very least to atleast give the semblance of some kind of encryption. Anybody can navigate to this key using 'REGEDIT' and see the password in plain text. Once a username and password is compromised, a malicious user can use it to make phone calls from the legit users paid-for account. (2) Remotely exploitable Buffer Overflow in the dial field: A remotely exploitable Buffer Overflow condition exists in the 'phone number to be dialed text field' of Hotfoon4.exe. There is no bounds check in the field. An input of 76 bytes crashes the program and an input of 80 bytes overwrites the ESI register. The debugging information from a DrWatson log file(Win2k) is given below. This may be used to write a PoC. eax=008b0f20 ebx=0012fe28 ecx=00000010 edx=00000000 esi=61616161 edi=0040e900 eip=00402abb esp=0012f628 ebp=0012fe10 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202 function: <nosymbols> 00402aa7 8908 mov [eax],ecx ds:008b0f20=00830260 00402aa9 c3 ret 00402aaa 56 push esi 00402aab 8bf1 mov esi,ecx 00402aad 6a10 push 0x10 00402aaf e84f4c0000 call 00407703 00402ab4 33d2 xor edx,edx 00402ab6 59 pop ecx 00402ab7 3bc2 cmp eax,edx 00402ab9 7410 jz 0040b5cb FAULT ->00402abb 8b4e04 mov ecx,[esi+0x4] ds:624b3737=???????? 00402abe 89500c mov [eax+0xc],edx ds:0174e4f6=???????? 00402ac1 895008 mov [eax+0x8],edx ds:0174e4f6=???????? 00402ac4 8910 mov [eax],edx ds:008b0f20=00830260 00402ac6 894804 mov [eax+0x4],ecx ds:0174e4f6=???????? 00402ac9 eb02 jmp 00405dcd 00402acb 33c0 xor eax,eax 00402acd 8b4c2408 mov ecx,[esp+0x8] ss:00fccbff=???????? 00402ad1 894808 mov [eax+0x8],ecx ds:0174e4f6=???????? 00402ad4 8b4e04 mov ecx,[esi+0x4] ds:624b3737=???????? 00402ad7 ff06 inc dword ptr [esi] ds:61616161=???????? 00402ad9 3bca cmp ecx,edx This overflow is remotely exploitable. This is because the dialer defines a URL Protocol called "Voice" and registers itself as the handler. The URL "voice:23456" will launch hotfoon4.exe and it will try to dial the number "123456". Since the overflow is in the dial field, a URL like "Voice:......<exploit string>" will launch the program and exploit it remotely. For example, (1) Voice:aaaaaa.........76 a's This will crash hotfoon4.exe (2) Voice:aaaaaa.........80 a's This will crash hotfoon4.exe and overwrite ESI register. (3) Voice:aaaaaa.....76a's...<exploit string> This will launch Hotfoon4.exe and exploit it. Once the exploit is ready, a malicious just needs to send a specially crafted URL to a user to exploit him(download and run any program, besides other things. This may be achieved by sending a user an HTML mail or by making him view a web page These two are only a few of many vuln. present in the service. For example overflows exist in almost every input field of the dialer but I had time to document only the above one. Hotfoon.com is inherently buggy and highly insecure. __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2
Current thread:
- Multiple Vuln. in Hotfoon.com's Hotfoon4.exe dialer S G Masood (Nov 11)