On Monday, January 17, 2005, 9:40:47 PM Rafel Ivgi, The-Insider
<theinsider@012.net.il> wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Kazaa
Vendors: http://www.kazaa.com
Versions: kazaa lite k++(probably all others too...)
Platforms: Windows
Bug: Sig2Dat Protocol Remote Integer Overflow and
Denial Of Service by creating files in arbitrary
locations
Exploitation: Remote With Browser
Date: 17 Jan 2005
Author: Rafel Ivgi, The-Insider
E-Mail: the_insider@mail.com
Website: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Kazaa is currently the world?s most common P2P file sharing application.
When installing Kazaa a new protocol is installed named ?sig2dat?.
This is incorrect. Kazaa itself does not install a handler for the
'sig2dat' URIs. In fact it doesn't even know about them. The sig2dat
URIs are created and handled by a third party tool [1] which contains
the described flaws and happens to be included in the (unofficial)
Kazaa Lite package.
The official Kazaa from http://www.kazaa.com does not handle sig2dat
URIs and is not vulnerable.
This protocol contain an integer overflow vulnerability which may cause
a crash and may allow remote execution of code. There is another
vulnerability in the ?File:? parameter which allows creating files in
arbitrary locations and committing Denial Of Service.
[1] sig2dat, http://www.geocities.com/vlaibb/tools.html
(The design and code of this thing are horrific and there are no
doubt plenty of other bugs to be found)
--
Markus Kern
