#######################################################################
Luigi Auriemma
Application: Qt
http://qt.nokia.com
Versions: <= 4.6.3
Platforms: Windows, Mac OS X, Linux, mobile devices
Bug: QSSLsocket endless loop
Exploitation: remote, versus server
Date: 29 Jun 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"Qt is a cross-platform application and UI framework.
Using Qt, you can write web-enabled applications once and deploy them
across desktop, mobile and embedded operating systems without rewriting
the source code."
#######################################################################
======
2) Bug
======
The part of the network library which handles the SSL connection can be
tricked into an endless loop that freezes the whole application with
CPU at 100%.
The problem is located in the QSslSocketBackendPrivate::transmit()
function in src_network_ssl_qsslsocket_openssl.cpp that never exits
from the main "while" loop.
Any application that acts as a server (and client, but has no security
impact in this scenario) and uses SSL through the QSslSocket class is
vulnerable and some examples are the Mumble server (Murmur),
Multi-Computer Virtual Whiteboard and so on.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/qtsslame.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################