Results 1 to 3 of 3

Thread: aMSN Input Validation Error

  1. #1
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31

    aMSN Input Validation Error

    Risk: Low
    Tipology: Input Validation Error

    All aMSN versions, both on Windows and Linux platorms.

    As Microsoft MSN, aMSN have a nice feature for Exporting and Importing the list of
    contacts you have.

    This list is dumped into an XML file (file extension .ctt), with this structure

    覧覧覧覧覧覧覧覧覧覧覧-
    <?xml version=1.0″?>
    <messenger>
    <service name=.NET Messenger Service>
    <contactlist>
    <contact> your_contact@xxxx.yy</contact>
    </contactlist>
    </service>
    </messenger>
    覧覧覧覧覧覧覧覧覧覧覧


    aMSN does not Validate correctly the Contacts you insert, precisely does not parse
    the format of this file, and suddenly when you import a malformed Contact List it
    shutdown

    here an example of malformed input list

    覧覧覧覧覧覧覧覧覧覧覧-
    <?xml version=1.0″?>
    <messenger>
    <service name=.NET Messenger Service>
    <contactlist>
    <contact>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy</contact>
    </contactlist>
    </service>
    </messenger>
    覧覧覧覧覧覧覧覧覧覧覧-


    Or another possibility

    覧覧覧覧覧覧覧覧覧覧覧-
    <?xml version=1.0″?>
    <messenger>
    <service name=.NET Messenger Service>
    <contactlist>
    <contact><contact><contact><contact>
    <contact></contact></contact><contact>
    </contact></contact></contact></contact>
    </contact>
    </contactlist>
    </service>
    </messenger>
    覧覧覧覧覧覧覧覧覧覧覧-


    This will cause a freeze of aMSN..

    If you use the same 鍍rick with Ms Messenger, a MessageBox will advice you of the malformed
    file

    See you to the next post

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Even if it's not remotely exploitable, it seems like a likely stack buffer overflow vulnerability (thus with possible arbitrary code execution possibilities), so maybe the risk is at least a little more that "low" (and maybe iDefense will (or rather would have) given you a few bucks for it).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Hello,

    Yeah indeed in certain cases this bug, can be exploitable, just by modelling the code inside <contact> TAGs

    But in a first moment i don't released this, just because I've adviced aMSN Team, but no reply by these persons, so may be that I'll release a Local for that

    Thanks for Advices, Delta!

    Have a nice Day,
    Evilcry

    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

Similar Threads

  1. IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]
    By debasishm89 in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: March 14th, 2014, 05:05
  2. Semi-Automated Input Crafting by Symbolic Execution, with an Application to Automatic
    By Gunther in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: March 6th, 2012, 22:31
  3. Text Input Box Grayed Out
    By Maze in forum The Newbie Forum
    Replies: 3
    Last Post: March 26th, 2009, 16:51
  4. Error
    By Bilal in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 29th, 2004, 09:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •