VULHUB ™

QQ is a very popular IM in China developed by Tencent.There exists a remote denial of service vulnerability in QQ when using the SuperVideo chat.Current study showed that the attacker who successfully exploited the vulnerability would cause the remote client crash. There is an attack packet as follows(0x12 length): 03 0f 43 bf //xor char 58 1b ec bf //id1 47 72 c1 9b //id2 00 00 05 00 6b 03 Notice that the following data which loading RTP header and encrypted bitmap data is empty.The following is the pasing code: (LongConnection.dll,version=5.0.200.160) 60A9512F push 2Ch ; size_t 60A95131 lea eax, [ebp-58h] 60A95134 push ebx ; int 60A95135 push eax ; void * 60A95136 mov byte ptr [ebp-4], 1 60A9513A call memset ; memset(lpDataHeader,0x00,0x2c); 60A9513F add esp, 0Ch 60A95142 lea eax, [ebp-58h] ; lpDataHeader 60A95145 mov ecx, esi 60A95147 push dword ptr [ebp+8] 60A9514A push edi 60A9514B push eax 60A9514C call sub_60A95D88 ; get the structure into lpDataHeader 60A95151 test eax, eax...

QQ is a very popular IM in China developed by Tencent.There exists a remote denial of service vulnerability in QQ when using the SuperVideo chat.Current study showed that the attacker who successfully exploited the vulnerability would cause the remote client crash. There is an attack packet as follows(0x12 length): 03 0f 43 bf //xor char 58 1b ec bf //id1 47 72 c1 9b //id2 00 00 05 00 6b 03 Notice that the following data which loading RTP header and encrypted bitmap data is empty.The following is the pasing code: (LongConnection.dll,version=5.0.200.160) 60A9512F push 2Ch ; size_t 60A95131 lea eax, [ebp-58h] 60A95134 push ebx ; int 60A95135 push eax ; void * 60A95136 mov byte ptr [ebp-4], 1 60A9513A call memset ; memset(lpDataHeader,0x00,0x2c); 60A9513F add esp, 0Ch 60A95142 lea eax, [ebp-58h] ; lpDataHeader 60A95145 mov ecx, esi 60A95147 push dword ptr [ebp+8] 60A9514A push edi 60A9514B push eax 60A9514C call sub_60A95D88 ; get the structure into lpDataHeader 60A95151 test eax, eax 60A95153 jnz short loc_60A95191 60A95D88 sub_60A95D88 proc near ; CODE XREF: sub_60A94FD3+179p 60A95D88 mov eax, offset loc_60AF0DE4 60A95D8D call __EH_prolog ... 60A95F28 xor eax, eax 60A95F2A cmp [ebp+10h], eax ; if (counter >0x12) ? 60A95F2D jg short loc_60A95F34 ; no jmp 60A95F2F mov [esi+24h], eax ; set lpRTPBuff=0 60A95F32 jmp short loc_60A95F50 ; jmp 60A95F34 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? 60A95F34 60A95F34 loc_60A95F34: ; normal type 60A95F34 push dword ptr [ebp+10h] 60A95F37 call ??2@YAPAXI@Z ; operator new(uint) 60A95F3C push dword ptr [ebp+10h] ; size_t 60A95F3F inc edi 60A95F40 mov [esi+24h], eax 60A95F43 push edi ; void * 60A95F44 push eax ; void * 60A95F45 call memcpy 60A95F4A mov eax, [ebp+10h] 60A95F4D add esp, 10h 60A95F50 60A95F50 loc_60A95F50: ; CODE XREF: sub_60A95D88+1AAj 60A95F50 push 1 60A95F52 mov [esi+28h], eax ; set dwRTPBuffLen=0 60A95F55 pop eax ; return success 60A95F56 jmp short loc_60A95ED9 60A95F56 sub_60A95D88 endp function \"sub_60A95D88\" parse video packet header to the structure \"lpDataHeader\",their relationship is like this: [lpDataHeader+24h] = lpRTPBuff [lpDataHeader+28h] = dwRTPBuffLen However,when the length of the total video packet equals to 0x12,function sub_60A95D88 sets lpRTPBuff=NULL and dwRTPBuffLen=0,but the sub function still returns successful value.The main function will deliver an NULL pointer to next protocol stack according to the returned value,so a memory access error will occur. The code that cause memory access error as follows: (VqqAllInOne.dll,version=1.5.0.3) 6273DE29 call sub_6274226A | | |62742285 push 3 62742287 push 0 62742289 push ebx ; lpRTPBuff=NULL 6274228A mov [ebp+var_4], esi 6274228D call sub_62742B20 | | |62742B20 mov edx, [esp+arg_4] 62742B24 mov eax, [esp+arg_8] 62742B28 lea ecx, [edx+eax] 62742B2B cmp edx, ecx 62742B2D jge short locret_62742B5D 62742B2F mov eax, [esp+arg_0] ; lpRTPBuff=NULL 62742B33 push esi 62742B34 sub ecx, edx 62742B36 lea eax, [eax+edx*4+2] ; eax=2 62742B3A movzx esi, byte ptr [eax] ; memory access error QQ2006 beta3 and previous versions Tencent has fixed this vulnerability in QQ 2006 standard,this can be downloaded from: <a href=\"http://im.qq.com/qq/dlqq.shtml\" target=\"_blank\">http://im.qq.com/qq/dlqq.shtml</a>