Sec-Labs Team proudly presents:


     Gadu-Gadu (all versions with image-send feature) Heap Overflow
     by Lord YuP
     12/09/2004


     Severity:     High / Critical - Remote Code Execution

     Version affected:  Probably all versions with image-send feature
      Tested on ver. 6.0 build 149 (the newest one
      released two days before)
 
     
   I. BACKGROUND

     Gadu-Gadu is the most popular polish communicator created by
     sms-express corporation (http://www.gadu-gadu.pl).
     It has been proved that Gadu-Gadu is used by few millions
     of users around the World (mainly Poland).


   II. DESCRIPTION

     Vulnerability takes place in image sending feature.
     Look at following protocol schema:
     (http://dev.null.pl/ekg/docs/protocol.html)


      1) ATTACKER (must be in contact list) sends specially 
   crafted GG_SEND_MSG packet, the packet informs  
   target that image is on a way.


      2) If everything went ok TARGET replies with included
   GG_MSG_IMAGE_REQUEST structure.


      3) ATTACKER sends specially crafted GG_MSG_IMAGE_REPLY
         (checksum value in this structure must be of course
   the same as in structure from point one)


     With this message it is possible to make
     Gadu-Gadu overwrite arbitrary heap memory and
     cause access violation exception in RtlAllocateHeap
     (function exported by NTDLL library).

  
     Here comes the debugger output (w2k-sp3):

     (62c.4a0): Access violation - code c0000005 (first chance)
     First chance exceptions are reported before any exception handling.
     This exception may be expected and handled.
     eax=58585858 ebx=00000082 ecx=65656565 edx=010975e8 esi=010975e8 edi=01070000
     eip=77fcb3f5 esp=0012e5a4 ebp=0012e73c iopl=0         nv up ei pl zr na po nc
     cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
     ntdll!RtlAllocateHeap+0x27d:
     77fcb3f5 8901             mov     [ecx],eax         ds:0023:65656565=????????


     Stack unwind for this one:

     ChildEBP RetAddr  
     0012fd88 0044fd31 ntdll!RtlAllocateHeap+0x27d
     0012fdc4 0044fd53 gg+0x4fd31
     0012fe2c 0045fd0d gg+0x4fd53
     00000000 00000000 gg+0x5fd0d

     Those instructions (from ntdll!RtlAllocateHeap):

     77fcb3f5 8901             mov     [ecx],eax         ds:0023:65656565=????????
     77fcb3f7 894804           mov     [eax+0x4],ecx

     allow attacker to write arbitrary dword value to any address (since attacker 
     fully controls EAX and ECX registers). Exploitation of such cases was many times
     described in security related documents. It has been noticed that using
     different packet variations it is possible to overwrite different registers.


   III. IMPACT

     This vulnerability after successful remote exploitation can allow the 
     attacker to run arbitrary code in context of current user.
     Of course if the exploitation was not successful target client will fault.


     Following sample screen has been made (just after remote attack):
     - http://sec-labs.hack.pl/screenshots/gg-s1.jpg
     - http://sec-labs.hack.pl/screenshots/gg-s2.jpg


   IV. POC CODE

     Sec-labs team is not going to release POC code for this issue.
     We are not supporting kiddies any more.


   V. BONUS

     It's just a little document which describes how to exploit similiar
     vulnerability (heap overflow condition) in MSRPC:
     -  Exploiting the MSRPC Heap Overflow by Dave Aitel
      (http://www.immunitysec.com/downloads/msrpcheap.pdf)
      (http://www.immunitysec.com/downloads/msrpcheap2.pdf)


-- 
Sec-Labs Team [http://sec-labs.hack.pl]