Home page logo
/

bugtraq logo Bugtraq mailing list archives

Edonkey and Overnet resources consumption
From: Auriemma Luigi <aluigi () pivx com>
Date: Fri, 21 Mar 2003 11:53:52 +0000


######################################################################

Applications: Edonkey2000 (http://www.edonkey2000.com)
              Overnet     (http://www.overnet.com)
Versions:     0.45 and previous versions (only the GUI program)
Platforms:    Windows only
Bug:          The programs spawn a new dialog for each chat message
              that arrives to them, and each dialog take system
              resources
Risk:         Resources consumption through multiple message dialogs
Author:       Auriemma Luigi
              e-mail: aluigi () pivx com
              web:    http://www.pivx.com/luigi/


######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


######################################################################

===============
1) Introduction
===============


Edonkey2000 and Overnet are the same peer2peer application and they
are both shareware.
These p2p programs use a protocol, created by their same programmers,
that is called Edonkey protocol and a lot of people use them and their
clones (like Emule, MlDonkey and others) to share files.

The bug I want to show is just a classical p2p problem that happen
when an attacker want to abuse the chat function of this type of
programs for causing resources consumpion on the remote machine.

 

######################################################################

======
2) Bug
======


The bug is really simple.
A lot of p2p programs (probably all) let peoples to chat togheter and
not only to share their files.
In Edonkey (and naturally Overnet) every user can send a message to
another user simply connecting to him and, after the identification
data, sending the message data:

u_char      Edonkey header = 0xe3
u_long      message size
u_char      type of data   = 0x4e for messages
u_short     message length
u_char      *message

Now, when Edonkey receives this message it will search in the message
dialogs currently opened if the user has already sent a message
previously.
The research of the user's window is not made comparing the nickname
but the program will use the hash string that each user must send at
the beginning of each connection for identify himself.

As everyone know, each message dialog take some resources of the
Windows system (memory first and CPU after a lot of dialogs), so
spawning a lot of these message dialogs is the same thing of opening
Explorer windows just for example.

Well, now the bug is clear. An user that makes a lot of sequential
connections to the same Edonkey client and send a different hash
string for each message, will open a lot of message dialogs into the
remote Edonkey host. And he will continue until will not exist more
resources for allocate new message dialogs.

Resources consumpion is not a DoS to underrate because after some
message dialogs opened will be impossible to open programs or new
windows, and you can imagine what this mean if you run a game or a
specific application that need CPU and memory. If you are in front of
the monitor you can just use the CTRL-ALT-DEL keys for kill the
Edonkey application, but if you are not using your computer you will
have a bad surprise 8-)

My Pentium II at 448 Mhz with about 500 Mb of RAM is unuseable after
about 500 message dialogs (it has so poor resources that is impossible
to execute any program).




######################################################################

===========
3) The Code
===========


I have released a simple proof-of-concept for Windows and *nix that
can send infinite or a custom number of messages to the victim:

http://www.pivx.com/luigi/poc/eddos.zip




######################################################################

======
4) Fix
======


Version 0.46 of Edonkey and Overnet solve the problem limiting the
number of message dialogs they can spawn.



######################################################################

=============
5) Philosophy
=============


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!


######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments  
(http://www.pivx.com/sf.html).

For more information go to http://www.PivX.com

######################################################################
 

Any type of feedback is really welcome!

Byez




--- 
PivX Bug Researcher
http://www.pivx.com/luigi/



  By Date           By Thread  

Current thread:
  • Edonkey and Overnet resources consumption Auriemma Luigi (Mar 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault