Baidu Hi IM client software DoS bug, div zero make client crash

2008.09.16
Credit: Li Gen
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Baidu Hi IM client software DoS bug, div zero make client crash -- CVE ID: Not assigned -- Affected Vendors: Baidu -- Affected Products: Baidu Hi IM software -- Vulnerability Details: Our automatic bug exploiting tools have found a DoS bug in Baidu Hi IM client which is a popular IM software in China. This bug is due to Baidu Hi client do not strictly check the login response packet's content from server in NetSevice.dll, malicious input can cause client crash by div zero exception . -- Vendor Response: I contacted with Baidu a month ago, no any response from Baidu. -- Credit: This vulnerability was discovered by: Gen LI & Jun MA & Ying Zhang More Detail : (NetService.dll) .text:1001FDB4 mov eax, [ebp+arg_C] .text:1001FDB7 sar esi, 3 .text:1001FDBA cdq .text:1001FDBB idiv esi ; cause div zero exception, and make client crash let login response packet is an array : a[] esi is from : tmp1= a[0x29] + (a[0x2a]<<8) + (a[0x2b]<<0x10) + (a[0x2c]<<0x18) ; when eip=0x100202ca tmp2= a[0x2d] + (a[0x2e]<<8) + (a[0x2f]<<0x10) + (a[0x30]<<0x18) ; when eip=0x100202ca tmp3= a[0x2b]+(a[0x2c]<<8) + (a[0x2d]<<0x10) + (a[0x2e]<<0x18) ; when eip=0x1001ef2f tmp4 = (tmp3<0) ? 0xffffffff:0 ; when eip= 0x1001fdac tmp5 = tmp4 & 0x7; when eip = 0x1001fdad tmp6 = tmp3+tmp5; when eip = 0x1001fdb0 esi = tmp6>>3; when eip = 0x1001fdb7 if malicious input is proper, client will crash.

References:

http://www.securityfocus.com/archive/1/archive/1/496353/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top