Sec-Labs Team proudly presents: Gadu-Gadu (all versions with image-send feature) Heap Overflow by Lord YuP 12/09/2004 Severity: High / Critical - Remote Code Execution Version affected: Probably all versions with image-send feature Tested on ver. 6.0 build 149 (the newest one released two days before) I. BACKGROUND Gadu-Gadu is the most popular polish communicator created by sms-express corporation (http://www.gadu-gadu.pl). It has been proved that Gadu-Gadu is used by few millions of users around the World (mainly Poland). II. DESCRIPTION Vulnerability takes place in image sending feature. Look at following protocol schema: (http://dev.null.pl/ekg/docs/protocol.html) 1) ATTACKER (must be in contact list) sends specially crafted GG_SEND_MSG packet, the packet informs target that image is on a way. 2) If everything went ok TARGET replies with included GG_MSG_IMAGE_REQUEST structure. 3) ATTACKER sends specially crafted GG_MSG_IMAGE_REPLY (checksum value in this structure must be of course the same as in structure from point one) With this message it is possible to make Gadu-Gadu overwrite arbitrary heap memory and cause access violation exception in RtlAllocateHeap (function exported by NTDLL library). Here comes the debugger output (w2k-sp3): (62c.4a0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=58585858 ebx=00000082 ecx=65656565 edx=010975e8 esi=010975e8 edi=01070000 eip=77fcb3f5 esp=0012e5a4 ebp=0012e73c iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 ntdll!RtlAllocateHeap+0x27d: 77fcb3f5 8901 mov [ecx],eax ds:0023:65656565=???????? Stack unwind for this one: ChildEBP RetAddr 0012fd88 0044fd31 ntdll!RtlAllocateHeap+0x27d 0012fdc4 0044fd53 gg+0x4fd31 0012fe2c 0045fd0d gg+0x4fd53 00000000 00000000 gg+0x5fd0d Those instructions (from ntdll!RtlAllocateHeap): 77fcb3f5 8901 mov [ecx],eax ds:0023:65656565=???????? 77fcb3f7 894804 mov [eax+0x4],ecx allow attacker to write arbitrary dword value to any address (since attacker fully controls EAX and ECX registers). Exploitation of such cases was many times described in security related documents. It has been noticed that using different packet variations it is possible to overwrite different registers. III. IMPACT This vulnerability after successful remote exploitation can allow the attacker to run arbitrary code in context of current user. Of course if the exploitation was not successful target client will fault. Following sample screen has been made (just after remote attack): - http://sec-labs.hack.pl/screenshots/gg-s1.jpg - http://sec-labs.hack.pl/screenshots/gg-s2.jpg IV. POC CODE Sec-labs team is not going to release POC code for this issue. We are not supporting kiddies any more. V. BONUS It's just a little document which describes how to exploit similiar vulnerability (heap overflow condition) in MSRPC: - Exploiting the MSRPC Heap Overflow by Dave Aitel (http://www.immunitysec.com/downloads/msrpcheap.pdf) (http://www.immunitysec.com/downloads/msrpcheap2.pdf) -- Sec-Labs Team [http://sec-labs.hack.pl]