Product: Gadu-Gadu, most of all available versions (including the latest one) Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl) Impact: Several vulnerabilities within application allow for remote execution of arbitrary code and information stealing Severity: Critical Authors: Blazej Miga <bla@xxxxxxxxxxxxx>, Jaroslaw Sajko <sloik@xxxxxxxxxxxxx> Advisory: http://www.man.poznan.pl/~security/gg-adv.txt [ISSUE] Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of people per month. Several vulnerabilities were discovered ranging from heap and stack overflows, integer overflows and directory traversal to incorrect filtering of html script code. These vulnerabilities can lead to remote execution of arbitrary code, stealing of user data (contact list, password, etc...) or application crash. All of these vulnerabilities can be exploited on a default configuration of Gadu-Gadu application. [DETAILS] Bug 1. There is a parsing error in the code portion responsible for the analysis of 'http:' and 'news:' hrefs embedded in sent messages. This bug can be exploited to inject '<a>' tag with code or a reference to it into HTML code displayed by the application.. The attacker can send malicious code or reference to a file with code (see Feature 0 described below). If properly exploited, code will be executed when the window with message pops up. Code will execute in LOCAL ZONE! Bug 2. Some strange kind of feature. Gadu-gadu client allows users to connect to the server via http proxy, but beacause there is no server authentication any proxy server can send any packet. This combined with a Feature 1 (described below) allows for the remote code execution for http proxy administrators or other men in the middle attacks. All WITHOUT user knowledge! Bug 3. Exploitnig the dcc connections feature (Feature 2) and the ctcp packets (ctcp with special values, 1 as type and 4 as subtype you can get file from _cache directory of your friend, without his knowledge! But, beacause there is directory traversal error you can get any file, ie. '..\Ja\config.dat' where the password is stored. User is NOT notified about that by gadu-gadu application. Bug 4. There is a buffer overflow in the code portion handling sending of images. This is a stack overflow which can be triggered by a specially crafted filename. Successfull exploitation can lead to stack frame overwrite and arbitrary code execution. This bug works with the newest build of the program. Bug 4b. In addition there is also a heap overflow. This bug is probably the same as the one found by Lord YuP in September this year, but it still works with the newest program build! Bug 5. There is some kind of bug while reading the config file. Even if the "image send" option is disabled (by default it is) you can still send small images, up to 100 bytes. This bug combined with bug number 4 allows the attacker to send malicious packet with arbitrary code to any user who have the attacker's uin on his contact list (even to the users who have "image send" option disabled). Bug 6. Another vulnerability related to image sending rely on fact that image can be divided into packets and sent one by one, but code responsible for assembling files do the strange comparision. If the length of received data is not equal to the expected length of file to receive, the receive loop is not terminated. Attacker has full control over the length values as they are retrieved directly from the received packets. So there is another heap overflow, maybe this is that bug which Lord YuP found, who knows, but beacause the file can be long, there is a lot of space for the shellcode. This bug works with the newest version. Bug 7. There is also an integer overflow vulnerability which can be triggered in a code portion responsible for the file receival through dcc. It is caused by the fact that file length is fetched directly from the user packet and it is compared to some maxlen value with use of "JLE instruction". Because this time file is written block by block this bug can lead only (according to our knowledge) to filling up the diskspace with unknown data from memory or to writing small unknown part of memory (which can be further fetched with bug number 3). Again, all data about lengths come from sender packets. Feature 0. When filename parser meets '.' or '/' whithin filename it purges it, but it does not do so when it meets '/' (which stands for '/') or '.' (which stands for '.'). Feature 1. The server can send specially crafted packet to a client with a dll file inside it and the client will execute certain function from that library, without user knowledge. Feature 2. When p2p connectinos are enabled, one side of a connection can ask the other one to connect to a given ip and port. This can be also exploited without user knowledge. [POC] Although we have working (win2k, winxpsp1, winxpsp2) proof of concept codes for all of the reported issues we are not going to publish them until proper patches will be released by the vendor. [WORKAROUND] Due to nature of these bugs there is no workaround for Gadu-Gadu users at this time. The risk can be minimized by disabling dcc connections, purging your contact list, not connecting through http proxies and by not clicking on messages from strangers. [SUMMARY] Vendor has been informed about these bugs. Have a nice day. Copyright 2004 Blazej Miga, Jaroslaw Sajko. All rights reserved.
