On Monday, January 17, 2005, 9:40:47 PM Rafel Ivgi, The-Insider <theinsider@xxxxxxxxxx> wrote: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Application: Kazaa > Vendors: http://www.kazaa.com > Versions: kazaa lite k++(probably all others too...) > Platforms: Windows > Bug: Sig2Dat Protocol Remote Integer Overflow and > Denial Of Service by creating files in arbitrary > locations > Exploitation: Remote With Browser > Date: 17 Jan 2005 > Author: Rafel Ivgi, The-Insider > E-Mail: the_insider@xxxxxxxx > Website: http://theinsider.deep-ice.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 1) Introduction > 2) Bugs > 3) The Code > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > =============== > 1) Introduction > =============== > Kazaa is currently the world?s most common P2P file sharing application. > When installing Kazaa a new protocol is installed named ?sig2dat?. This is incorrect. Kazaa itself does not install a handler for the 'sig2dat' URIs. In fact it doesn't even know about them. The sig2dat URIs are created and handled by a third party tool [1] which contains the described flaws and happens to be included in the (unofficial) Kazaa Lite package. The official Kazaa from http://www.kazaa.com does not handle sig2dat URIs and is not vulnerable. > This protocol contain an integer overflow vulnerability which may cause > a crash and may allow remote execution of code. There is another > vulnerability in the ?File:? parameter which allows creating files in > arbitrary locations and committing Denial Of Service. [1] sig2dat, http://www.geocities.com/vlaibb/tools.html (The design and code of this thing are horrific and there are no doubt plenty of other bugs to be found) -- Markus Kern
