Qt 4.6.3 "QSslSocketBackendPrivate::transmit()" Denial of Service

2010-07-07 / 2010-07-08
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Qt http://qt.nokia.com Versions: <= 4.6.3 Platforms: Windows, Mac OS X, Linux, mobile devices Bug: QSSLsocket endless loop Exploitation: remote, versus server Date: 29 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Qt is a cross-platform application and UI framework. Using Qt, you can write web-enabled applications once and deploy them across desktop, mobile and embedded operating systems without rewriting the source code." ####################################################################### ====== 2) Bug ====== The part of the network library which handles the SSL connection can be tricked into an endless loop that freezes the whole application with CPU at 100%. The problem is located in the QSslSocketBackendPrivate::transmit() function in src_network_ssl_qsslsocket_openssl.cpp that never exits from the main "while" loop. Any application that acts as a server (and client, but has no security impact in this scenario) and uses SSL through the QSslSocket class is vulnerable and some examples are the Mumble server (Murmur), Multi-Computer Virtual Whiteboard and so on. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/qtsslame.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################

References:

http://www.vupen.com/english/advisories/2010/1657
http://www.securityfocus.com/bid/41250
http://secunia.com/advisories/40389
http://osvdb.org/65860
http://aluigi.org/poc/qtsslame.zip
http://aluigi.altervista.org/adv/qtsslame-adv.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top