|
DC++ bzip2 Decompression Routine DoS |
|
|
|
|
Monday, 05 September 2005 |
Summary
DC++ is "an open source client for the Direct Connect protocol". A vulnerability in the way DC++ decompresses incoming file lists allows remote attackers to cause the program to crash by sending it a very small file that once it is decompressed by DC++ it will inflate to a very large file.
Credit:
The information has been provided by mircia.
The original article can be found at: http://www.critical.lt/?vulnerabilities/22
Details
Vulnerable Systems:
* DC++ version 0.674
Newer versions of DC++ uses bzip2 for filelist compression to save bandwith. You can compress some large file with bzip2 (for example 1gb file only consisting of zeros compresses to ~750 bytes), then replace this file with your filelist, and when someone downloads your filelist his/hers client is going to try to decompress our evil filelist and crashes or hangs up and hogs a lot of resources.
Proof of Concept:
1. Download DC++, Process Explorer, and evil filelist http://www.critical.lt/research/dc.zip
2. Fire up DC++ , connect to some server, wait for someone to try to download your filelist or something from you (so that DC++ would open a handle to your original filelist and wouldnt try to overwrite it later )
3. Open Process Explorer press Find Handle , enter "files.xml.bz2", right click on the handle that it found, press close handle, and replace your filelist with the ours evil one. Now when someone is going to download your filelist, their DC++ will crash.
|