exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gadu-gadu.txt

gadu-gadu.txt
Posted Sep 13, 2004
Authored by Lord Yup | Site sec-labs.hack.pl

Sec-Labs Advisory - Gadu-Gadu is susceptible to a heap overflow that allows for arbitrary code execution. Tested against version 6.0 build 149.

tags | advisory, overflow, arbitrary, code execution
SHA-256 | c439851c4bd7fe8790976ac8da0cb2ed86c17f1eda67ae166eb128b68e66b817

gadu-gadu.txt

Change Mirror Download

Sec-Labs Team proudly presents:


Gadu-Gadu (all versions with image-send feature) Heap Overflow
by Lord YuP
12/09/2004


Severity: High / Critical - Remote Code Execution

Version affected: Probably all versions with image-send feature
Tested on ver. 6.0 build 149 (the newest one
released two days before)


I. BACKGROUND

Gadu-Gadu is the most popular polish communicator created by
sms-express corporation (https://www.gadu-gadu.pl).
It has been proved that Gadu-Gadu is used by few millions
of users around the World (mainly Poland).


II. DESCRIPTION

Vulnerability takes place in image sending feature.
Look at following protocol schema:
(https://dev.null.pl/ekg/docs/protocol.html)


1) ATTACKER (must be in contact list) sends specially
crafted GG_SEND_MSG packet, the packet informs
target that image is on a way.


2) If everything went ok TARGET replies with included
GG_MSG_IMAGE_REQUEST structure.


3) ATTACKER sends specially crafted GG_MSG_IMAGE_REPLY
(checksum value in this structure must be of course
the same as in structure from point one)


With this message it is possible to make
Gadu-Gadu overwrite arbitrary heap memory and
cause access violation exception in RtlAllocateHeap
(function exported by NTDLL library).


Here comes the debugger output (w2k-sp3):

(62c.4a0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=58585858 ebx=00000082 ecx=65656565 edx=010975e8 esi=010975e8 edi=01070000
eip=77fcb3f5 esp=0012e5a4 ebp=0012e73c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
ntdll!RtlAllocateHeap+0x27d:
77fcb3f5 8901 mov [ecx],eax ds:0023:65656565=????????


Stack unwind for this one:

ChildEBP RetAddr
0012fd88 0044fd31 ntdll!RtlAllocateHeap+0x27d
0012fdc4 0044fd53 gg+0x4fd31
0012fe2c 0045fd0d gg+0x4fd53
00000000 00000000 gg+0x5fd0d

Those instructions (from ntdll!RtlAllocateHeap):

77fcb3f5 8901 mov [ecx],eax ds:0023:65656565=????????
77fcb3f7 894804 mov [eax+0x4],ecx

allow attacker to write arbitrary dword value to any address (since attacker
fully controls EAX and ECX registers). Exploitation of such cases was many times
described in security related documents. It has been noticed that using
different packet variations it is possible to overwrite different registers.


III. IMPACT

This vulnerability after successful remote exploitation can allow the
attacker to run arbitrary code in context of current user.
Of course if the exploitation was not successful target client will fault.


Following sample screen has been made (just after remote attack):
- https://sec-labs.hack.pl/screenshots/gg-s1.jpg
- https://sec-labs.hack.pl/screenshots/gg-s2.jpg


IV. POC CODE

Sec-labs team is not going to release POC code for this issue.
We are not supporting kiddies any more.


V. BONUS

It's just a little document which describes how to exploit similiar
vulnerability (heap overflow condition) in MSRPC:
- Exploiting the MSRPC Heap Overflow by Dave Aitel
(https://www.immunitysec.com/downloads/msrpcheap.pdf)
(https://www.immunitysec.com/downloads/msrpcheap2.pdf)


--
Sec-Labs Team [https://sec-labs.hack.pl]
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close