Related information

Baidu Hi instant messenger integer overflow

Baidu Hi IM client software DoS bug, div zero make client crash

From:	Li Gen <superligen_(at)_gmail.com>
Date:	14.09.2008
Subject:	Baidu Hi IM software parsing plaintext stack overflow

Baidu Hi IM software parsing plaintext stack overflow

-- CVE ID:
Not assigned

-- Affected Vendors:
Baidu

-- Affected Products:
Baidu Hi IM software

-- Vulnerability Details:

Our automatic bug exploiting tools have found a buffer overflow bug in
Baidu Hi IM software which is a popular IM software in China.
This bug is due to Baidu Hi do not strictly check the deciphered
plaintext format in CSTransfer.dll.
Because of encryption mechanism of Baidu Hi, it is hard to generate
the proper malicious packet, but not say it's impossible. A proper
malicious packet can cause client system full controlled.

-- Vendor Response:
I contacted with Baidu a month ago, no any response from Baidu.

-- Credit:
This vulnerability was discovered by:
 Gen LI & Jun MA & Ying Zhang

More Detail :
(CSTransfer.dll)

                                         esi
     +---------------------+              |
     |                     |             \|/
     | Malicious input     |              _______________________________
     |                     ...........>  |  |  |  |  |  |   |   |       |
     +---------------------+             |R |  |4 |0 |  |\r |\n | ....  |
                                         |__|__|__|__|__|___|___|_______|
                                         /|\
                                          |
                                         ebp
     +---------------------+
     |                     |
     | Correct content     |
______________________________________________________
     |                     ...........> |  |   | |  |   |  |   |  |
|  |  |  |   |   |       |
     +---------------------+            | c| m | | 1| . |0 |   |R |
|4 |0 |  |\r |\n | ....  |
       loc_10007880:
|__|___|_|__|___|__|___|__|__|__|__|__|___|___|_______|
       mov     al, [esi-1]               /|\                   /|\
       dec     esi                        |                     |
       cmp     al, 20h                   ebp                   esi
       jnz     short loc_10007890
                |
 +-------+      |---------------------.
 |       |      |                     |
 |      \|/    \|/                    |
 |     loc_10007888:                  |
 |     mov     al, [esi-1]            |
 |     dec     esi                    |
 |     cmp     al, 20h                |
 |     jz      short loc_10007888     |
 |           |  |                     |
 |-----------+  |    +----------------|
                |    |
               \|/  \|/
       loc_10007890:
       push    20h
       esi edi
       push    ebp                     +---------------------+
        |   |
       inc     esi                     |                     |
       \|/ \|/
       call    ds:strchr               | Malicious input     |
____________ _______________________________
       mov     edi, eax    --------->  |                     ...>|
       |  |  |  |  |  |   |   |       |
                                       +---------------------+
|heap struct |R |  |4 |0 |  |\r |\n | ....  |
          ...........
|____________|__|__|__|__|__|___|___|_______|

       /|\
      loc_100078EA:
        |
      sub     esi, edi               ;esi will be a negative number
       ebp
      cmp     esi, 1Eh
      jg      loc_100079FD

      push    esi             ; size_t   ;esi will be a negative number
      lea     edx, [esp+44h+var_24]
      push    edi             ; char *
      push    edx             ; char *
      call    ds:strncpy                 ; cause buffer overflow