#######################################################################

                             Luigi Auriemma

Application:  Qt
              http://qt.nokia.com
Versions:     <= 4.6.3
Platforms:    Windows, Mac OS X, Linux, mobile devices
Bug:          QSSLsocket endless loop
Exploitation: remote, versus server
Date:         29 Jun 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Qt is a cross-platform application and UI framework.
Using Qt, you can write web-enabled applications once and deploy them
across desktop, mobile and embedded operating systems without rewriting
the source code."


#######################################################################

======
2) Bug
======


The part of the network library which handles the SSL connection can be
tricked into an endless loop that freezes the whole application with
CPU at 100%.

The problem is located in the QSslSocketBackendPrivate::transmit()
function in src_network_ssl_qsslsocket_openssl.cpp that never exits
from the main "while" loop.

Any application that acts as a server (and client, but has no security
impact in this scenario) and uses SSL through the QSslSocket class is
vulnerable and some examples are the Mumble server (Murmur),
Multi-Computer Virtual Whiteboard and so on.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/qtsslame.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################