Our automatic bug exploiting tools have found a buffer overflow bug in Baidu Hi IM software which is a popular IM software in China. This bug is due to Baidu Hi do not strictly check the deciphered plaintext format in CSTransfer.dll. Because of encryption mechanism of Baidu Hi, it is hard to generate the proper malicious packet, but not say it's impossible. A proper malicious packet can cause client system full controlled. -- Vendor Response: I contacted with Baidu a month ago, no any response from Baidu. -- Credit: This vulnerability was discovered by: Gen LI & Jun MA & Ying Zhang More Detail : (CSTransfer.dll) esi +---------------------+ | | | \|/ | Malicious input | ___ | ...........> | | | | | | | | | +---------------------+ |R | |4 |0 | |\r |\n | .... | |__|__|__|__|__|___|___|___| /| | ebp +---------------------+ | | | Correct content | __ | ...........> | | | | | | | | | | | | | | | | +---------------------+ | c| m | | 1| . |0 | |R | |4 |0 | |\r |\n | .... |...
Our automatic bug exploiting tools have found a buffer overflow bug in Baidu Hi IM software which is a popular IM software in China. This bug is due to Baidu Hi do not strictly check the deciphered plaintext format in CSTransfer.dll. Because of encryption mechanism of Baidu Hi, it is hard to generate the proper malicious packet, but not say it's impossible. A proper malicious packet can cause client system full controlled. -- Vendor Response: I contacted with Baidu a month ago, no any response from Baidu. -- Credit: This vulnerability was discovered by: Gen LI & Jun MA & Ying Zhang More Detail : (CSTransfer.dll) esi +---------------------+ | | | \|/ | Malicious input | ___ | ...........> | | | | | | | | | +---------------------+ |R | |4 |0 | |\r |\n | .... | |__|__|__|__|__|___|___|___| /| | ebp +---------------------+ | | | Correct content | __ | ...........> | | | | | | | | | | | | | | | | +---------------------+ | c| m | | 1| . |0 | |R | |4 |0 | |\r |\n | .... | loc_10007880: |__|___|_|__|___|__|___|__|__|__|__|__|___|___|___| mov al, [esi-1] /|\ /| dec esi | | cmp al, 20h ebp esi jnz short loc_10007890 | +-------+ |---------------------. | | | | | \|/ \|/ | | loc_10007888: | | mov al, [esi-1] | | dec esi | | cmp al, 20h | | jz short loc_10007888 | | | | | |-----------+ | +----------------| | | \|/ \|/ loc_10007890: push 20h esi edi push ebp +---------------------+ | | inc esi | | \|/ \|/ call ds:strchr | Malicious input | ___ mov edi, eax ---------> | ...>| | | | | | | | | | +---------------------+ |heap struct |R | |4 |0 | |\r |\n | .... | ........... ||__|__|__|__|__|___|___|___| /| loc_100078EA: | sub esi, edi ;esi will be a negative number ebp cmp esi, 1Eh jg loc_100079FD push esi ; size_t ;esi will be a negative number lea edx, [esp+44h+var_24] push edi ; char * push edx ; char * call ds:strncpy ; cause buffer overflow 百度Hi 2.0 Beta1 暂无 <a href=http://im.baidu.com target=_blank>http://im.baidu.com</a>
