Multiple Vuln. in Hotfoon.com's Hotfoon4.exe dialer
Hotfoon.com is a popular provider of PC to Phone, PC
to PC Phone,Instant Messaging and Chat services. It's
services are accessed by using a client program,
Hotfoon4.exe(http://www.hotfoon.com/hotfoon4.exe),
which includes the dialer. This is claimed to be the
smallest dialer in the world(76.0 KB). But, it does
not ensure performance and security. There are
multiple vuln. in Hotfoon.com's services.
Two of them are:
(1) Plaintext Password in Registry:
The hotfoon4.exe dialer stores the username and
password of a user in plain text in the Registry key -
"HKEY_CURRENT_USER\hotfoon2". This is pathetic. If the
password
had to be stored in the registry, a substitution
cipher could be used at the very least to atleast give
the semblance of some kind of encryption. Anybody can
navigate to this key using 'REGEDIT' and see the
password in plain text.
Once a username and password is compromised, a
malicious user can use it to make phone calls from the
legit users paid-for account.
(2) Remotely exploitable Buffer Overflow in the dial
field:
A remotely exploitable Buffer Overflow condition
exists in the 'phone number to be dialed text field'
of Hotfoon4.exe. There is no bounds check in the
field. An input of 76 bytes crashes the program and an
input of 80 bytes overwrites the ESI register.
The debugging information from a DrWatson log
file(Win2k) is given below. This may be used to write
a PoC.
eax=008b0f20 ebx=0012fe28 ecx=00000010 edx=00000000
esi=61616161
edi=0040e900
eip=00402abb esp=0012f628 ebp=0012fe10 iopl=0
nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
This overflow is remotely exploitable. This is because
the dialer defines a URL Protocol called "Voice" and
registers itself as the handler. The URL "voice:23456"
will launch hotfoon4.exe and it will try to dial the
number "123456". Since the overflow is in the dial
field, a URL like "Voice:......<exploit string>" will
launch the program and exploit it remotely.
For example,
(1) Voice:aaaaaa.........76 a's
This will crash hotfoon4.exe
(2) Voice:aaaaaa.........80 a's
This will crash hotfoon4.exe and overwrite ESI
register.
(3) Voice:aaaaaa.....76a's...<exploit string>
This will launch Hotfoon4.exe and exploit it.
Once the exploit is ready, a malicious just needs to
send a specially crafted URL to a user to exploit
him(download and run any program, besides other
things. This may be achieved by sending a user an HTML
mail or by making him view a web page
These two are only a few of many vuln. present in the
service. For example overflows exist in almost every
input field of the dialer but I had time to document
only the above one. Hotfoon.com is inherently buggy
and highly
insecure.
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
Hotfoon.com is a popular provider of PC to Phone, PC
to PC Phone,Instant Messaging and Chat services. It's
services are accessed by using a client program,
Hotfoon4.exe(http://www.hotfoon.com/hotfoon4.exe),
which includes the dialer. This is claimed to be the
smallest dialer in the world(76.0 KB). But, it does
not ensure performance and security. There are
multiple vuln. in Hotfoon.com's services.
Two of them are:
(1) Plaintext Password in Registry:
The hotfoon4.exe dialer stores the username and
password of a user in plain text in the Registry key -
"HKEY_CURRENT_USER\hotfoon2". This is pathetic. If the
password
had to be stored in the registry, a substitution
cipher could be used at the very least to atleast give
the semblance of some kind of encryption. Anybody can
navigate to this key using 'REGEDIT' and see the
password in plain text.
Once a username and password is compromised, a
malicious user can use it to make phone calls from the
legit users paid-for account.
(2) Remotely exploitable Buffer Overflow in the dial
field:
A remotely exploitable Buffer Overflow condition
exists in the 'phone number to be dialed text field'
of Hotfoon4.exe. There is no bounds check in the
field. An input of 76 bytes crashes the program and an
input of 80 bytes overwrites the ESI register.
The debugging information from a DrWatson log
file(Win2k) is given below. This may be used to write
a PoC.
eax=008b0f20 ebx=0012fe28 ecx=00000010 edx=00000000
esi=61616161
edi=0040e900
eip=00402abb esp=0012f628 ebp=0012fe10 iopl=0
nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202
function: <nosymbols>
00402aa7 8908 mov [eax],ecx
ds:008b0f20=00830260
00402aa9 c3 ret
00402aaa 56 push esi
00402aab 8bf1 mov esi,ecx
00402aad 6a10 push 0x10
00402aaf e84f4c0000 call 00407703
00402ab4 33d2 xor edx,edx
00402ab6 59 pop ecx
00402ab7 3bc2 cmp eax,edx
00402ab9 7410 jz 0040b5cb
FAULT ->00402abb 8b4e04 mov
ecx,[esi+0x4]
ds:624b3737=????????
00402abe 89500c mov
[eax+0xc],edx
ds:0174e4f6=????????
00402ac1 895008 mov
[eax+0x8],edx
ds:0174e4f6=????????
00402ac4 8910 mov [eax],edx
ds:008b0f20=00830260
00402ac6 894804 mov
[eax+0x4],ecx
ds:0174e4f6=????????
00402ac9 eb02 jmp 00405dcd
00402acb 33c0 xor eax,eax
00402acd 8b4c2408 mov
ecx,[esp+0x8]
ss:00fccbff=????????
00402ad1 894808 mov
[eax+0x8],ecx
ds:0174e4f6=????????
00402ad4 8b4e04 mov
ecx,[esi+0x4]
ds:624b3737=????????
00402ad7 ff06 inc dword ptr
[esi]
ds:61616161=????????
00402ad9 3bca cmp ecx,edx
This overflow is remotely exploitable. This is because
the dialer defines a URL Protocol called "Voice" and
registers itself as the handler. The URL "voice:23456"
will launch hotfoon4.exe and it will try to dial the
number "123456". Since the overflow is in the dial
field, a URL like "Voice:......<exploit string>" will
launch the program and exploit it remotely.
For example,
(1) Voice:aaaaaa.........76 a's
This will crash hotfoon4.exe
(2) Voice:aaaaaa.........80 a's
This will crash hotfoon4.exe and overwrite ESI
register.
(3) Voice:aaaaaa.....76a's...<exploit string>
This will launch Hotfoon4.exe and exploit it.
Once the exploit is ready, a malicious just needs to
send a specially crafted URL to a user to exploit
him(download and run any program, besides other
things. This may be achieved by sending a user an HTML
mail or by making him view a web page
These two are only a few of many vuln. present in the
service. For example overflows exist in almost every
input field of the dialer but I had time to document
only the above one. Hotfoon.com is inherently buggy
and highly
insecure.
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
[ reply ]