Baidu Hi IM software parsing plaintext stack overflow

Ying Zhang negative number stack overflow buffer overflow esi Baidu Hi malicious Affected Vendors push Vulnerability Details Vendor Response software Affected Products

Baidu Hi IM software parsing plaintext stack overflow

-- CVE ID:
Not assigned

-- Affected Vendors:
Baidu

-- Affected Products:
Baidu Hi IM software

-- Vulnerability Details:

Our automatic bug exploiting tools have found a buffer overflow bug in
Baidu Hi IM software which is a popular IM software in China.
This bug is due to Baidu Hi do not strictly check the deciphered
plaintext format in CSTransfer.dll.
Because of encryption mechanism of Baidu Hi, it is hard to generate
the proper malicious packet, but not say it's impossible. A proper
malicious packet can cause client system full controlled.

-- Vendor Response:
I contacted with Baidu a month ago, no any response from Baidu.

-- Credit:
This vulnerability was discovered by:
  Gen LI & Jun MA & Ying Zhang

More Detail :
(CSTransfer.dll)

                                          esi
      +---------------------+              |
      |                     |             \|/
      | Malicious input     |              _______________________________
      |                     ...........>  |  |  |  |  |  |   |   |       |
      +---------------------+             |R |  |4 |0 |  |\r |\n | ....  |
                                          |__|__|__|__|__|___|___|_______|
                                          /|\
                                           |
                                          ebp
      +---------------------+
      |                     |
      | Correct content     |
______________________________________________________
      |                     ...........> |  |   | |  |   |  |   |  |
|  |  |  |   |   |       |
      +---------------------+            | c| m | | 1| . |0 |   |R |
|4 |0 |  |\r |\n | ....  |
        loc_10007880:
|__|___|_|__|___|__|___|__|__|__|__|__|___|___|_______|
        mov     al, [esi-1]               /|\                   /|\
        dec     esi                        |                     |
        cmp     al, 20h                   ebp                   esi
        jnz     short loc_10007890
                 |
  +-------+      |---------------------.
  |       |      |                     |
  |      \|/    \|/                    |
  |     loc_10007888:                  |
  |     mov     al, [esi-1]            |
  |     dec     esi                    |
  |     cmp     al, 20h                |
  |     jz      short loc_10007888     |
  |           |  |                     |
  |-----------+  |    +----------------|
                 |    |
                \|/  \|/
        loc_10007890:
        push    20h
        esi edi
        push    ebp                     +---------------------+
         |   |
        inc     esi                     |                     |
        \|/ \|/
        call    ds:strchr               | Malicious input     |
____________ _______________________________
        mov     edi, eax    --------->  |                     ...>|
        |  |  |  |  |  |   |   |       |
                                        +---------------------+
|heap struct |R |  |4 |0 |  |\r |\n | ....  |
           ...........
|____________|__|__|__|__|__|___|___|_______|

        /|\
       loc_100078EA:
         |
       sub     esi, edi               ;esi will be a negative number
        ebp
       cmp     esi, 1Eh
       jg      loc_100079FD

       push    esi             ; size_t   ;esi will be a negative number
       lea     edx, [esp+44h+var_24]
       push    edi             ; char *
       push    edx             ; char *
       call    ds:strncpy                 ; cause buffer overflow