###################################################################### Applications: Edonkey2000 (http://www.edonkey2000.com) Overnet (http://www.overnet.com) Versions: 0.45 and previous versions (only the GUI program) Platforms: Windows only Bug: The programs spawn a new dialog for each chat message that arrives to them, and each dialog take system resources Risk: Resources consumption through multiple message dialogs Author: Auriemma Luigi e-mail: aluigiat_private web: http://www.pivx.com/luigi/ ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy ###################################################################### =============== 1) Introduction =============== Edonkey2000 and Overnet are the same peer2peer application and they are both shareware. These p2p programs use a protocol, created by their same programmers, that is called Edonkey protocol and a lot of people use them and their clones (like Emule, MlDonkey and others) to share files. The bug I want to show is just a classical p2p problem that happen when an attacker want to abuse the chat function of this type of programs for causing resources consumpion on the remote machine. ###################################################################### ====== 2) Bug ====== The bug is really simple. A lot of p2p programs (probably all) let peoples to chat togheter and not only to share their files. In Edonkey (and naturally Overnet) every user can send a message to another user simply connecting to him and, after the identification data, sending the message data: u_char Edonkey header = 0xe3 u_long message size u_char type of data = 0x4e for messages u_short message length u_char *message Now, when Edonkey receives this message it will search in the message dialogs currently opened if the user has already sent a message previously. The research of the user's window is not made comparing the nickname but the program will use the hash string that each user must send at the beginning of each connection for identify himself. As everyone know, each message dialog take some resources of the Windows system (memory first and CPU after a lot of dialogs), so spawning a lot of these message dialogs is the same thing of opening Explorer windows just for example. Well, now the bug is clear. An user that makes a lot of sequential connections to the same Edonkey client and send a different hash string for each message, will open a lot of message dialogs into the remote Edonkey host. And he will continue until will not exist more resources for allocate new message dialogs. Resources consumpion is not a DoS to underrate because after some message dialogs opened will be impossible to open programs or new windows, and you can imagine what this mean if you run a game or a specific application that need CPU and memory. If you are in front of the monitor you can just use the CTRL-ALT-DEL keys for kill the Edonkey application, but if you are not using your computer you will have a bad surprise 8-) My Pentium II at 448 Mhz with about 500 Mb of RAM is unuseable after about 500 message dialogs (it has so poor resources that is impossible to execute any program). ###################################################################### =========== 3) The Code =========== I have released a simple proof-of-concept for Windows and *nix that can send infinite or a custom number of messages to the victim: http://www.pivx.com/luigi/poc/eddos.zip ###################################################################### ====== 4) Fix ====== Version 0.46 of Edonkey and Overnet solve the problem limiting the number of message dialogs they can spawn. ###################################################################### ============= 5) Philosophy ============= I'm really hopeful about the FULL-DISCLOSURE policy, because with it "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of creative programming (I have learned a bit of interesting C from the source code of some published exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets! ###################################################################### ==================== About PivX Solutions ==================== PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients, the most notable being our proprietary StrikeFirst Security Assessments (http://www.pivx.com/sf.html). For more information go to http://www.PivX.com ###################################################################### Any type of feedback is really welcome! Byez --- PivX Bug Researcher http://www.pivx.com/luigi/
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 10:13:32 PST