Ares Fileshare Buffer Overflow in Search History Lets Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1014576
|
|
SecurityTracker URL: http://securitytracker.com/id?1014576
|
|
CVE Reference: CVE-2005-2425
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jul 26 2005
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Version(s): 1.1
|
Description: Kozan reported a buffer overflow vulnerability in Ares Fileshare. A user may be able to cause arbitrary code to be executed.
A user can create an 'ares.conf' configuration file that contains specially crafted search string history entries. When a target
user loads the file and selects the malicious entry from the Search listbox, arbitrary code may be executed with the privileges
of the target user.
A target user can also enter a specially crafted search string into the Search box to trigger the buffer
overflow.
A string longer than 1065 bytes can cause the buffer overflow.
|
Impact: A remote or local user may be able to cause the target user to execute arbitrary code.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.aresfileshare.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: kozan@spyinstructors.com
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Jul 2005 12:44:31 -0700 (PDT)
From: kozan@spyinstructors.com
Subject: Ares FileShare 1.1 'Long Searched String' Buffer Overflow
|
Ares FileShare 1.1 'Long Searched String' Buffer Overflow Vulnerability
I. BACKGROUND
Ares Fileshare is one of the most popular P2P application around the world.
With Ares Fileshare you can connect to several established P2P-networks,
which will yield more search results with less effort. One of the beauties
with Ares Fileshare is that you don't have to share files in order to search
and download, in other words -- you'll be started within seconds.
More information can be found at the following link:
II. DESCRIPTION
Remote and/or exploitation of a buffer overflow vulnerability in Ares
FileShare
could allow execution of arbitrary code.
A specially crafted .conf file (ares.conf - configuration file of Ares
FileShare)
containing long searched strings history information or entering a long
string
for Search can cause Ares FileShare to overwrite stack space.
No checks are made on the length of data being copied, When a string data
is longer
than 1065 bytes (1066 or longer), allowing the return address on the stack
to be
overwritten (in UNICODE).
III. ANALYSIS
Successful exploitation allows remote and/or local attackers to execute
arbitrary
code in the context of the target user that opened the malicious
configuration file
or entering specially crafted search data.
After this when user starts Ares FileShare program and selects this malicious
entry from Search Listbox, buffer overflow occurs.
An example malicious ares.conf file is that contains long searc history data:
history = AAAAA.....[ A x 1065 bytes (where the EIP starts in UNICODE)
]AA...\r\n
The data that is written onto the stack is in the form: 0x00410041
41s in hexadecimal = 'A's are controlled by the input. While this
tends to make exploitation more difficult, it does not prevent it, as it
may be possible for an attacker to cause controlled data to be put into
a memory location matching the required format.
IV. DETECTION
Ares FileShare 1.1 is vulnerable. Earlier versions strongly might be
vulnerable to this issue.
V. WORKAROUND
User awareness is the best method of defense against this class of
attack. Users must be wary when opening files from untrusted sources.
When possible, run client software, as regular user accounts with
limited access to system resources. This may limit the immediate
consequences of client-side vulnerabilities.
Discovered by: Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com
|
|
