SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Zoidcom Vendors:   zoidcom.com
Zoidcom Buffer Overflow in ZCom_BitStream::Deserialize() Lets Remote Users Crash the Application
SecurityTracker Alert ID:  1013939
SecurityTracker URL:  http://securitytracker.com/id/1013939
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 11 2005
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0 beta 4 and prior versions
Description:   Luigi Auriemma reported a vulnerability in the Zoidcom UDP networking library. A remote user can cause affected applications to crash.

A remote user can send a specially crafted UDP packet to trigger a buffer overflow in the ZCom_BitStream::Deserialize function and cause the library function to crash. The function trusts the first 4 bytes of a packet to allocate a buffer for the remaining packet data.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/zoidboom.zip

Impact:   A remote user can cause the target application to crash.
Solution:   The vendor has issued a fixed version (1.0 beta 5), available at:

http://www.zoidcom.com/download.html

Vendor URL:  www.zoidcom.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Crash in Zoidcom 1.0 beta 4


#######################################################################

                             Luigi Auriemma

Application:  Zoidcom
              http://www.zoidcom.com
Versions:     <= 1.0 beta 4
Platforms:    Windows and Linux
Bug:          access to unallocated memory
Exploitation: remote, versus server and clients
Date:         10 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============




#######################################################################

======
2) Bug
======


The first 4 bytes at the beginning of any UDP packet handled by this
library specify the size of the packet data in bits.
When a packet is received the library calls the
ZCom_BitStream::Deserialize function that allocates a target buffer of
the size specified in these 4 bytes and then copies all the subsequent
part of the packet in it.
If an attacker specifies a big amount of bits the Deserialize()
function will try to read the unallocated memory located after
the packet buffer or the library will exit immediately if the amount of
bits is so big that the target buffer cannot be allocated.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/zoidboom.zip


#######################################################################

======
4) Fix
======


1.0 beta 5


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC