Log in

View Full Version : aMSN Input Validation Error


evilcry
February 1st, 2008, 03:20
Risk: Low
Tipology: Input Validation Error

All aMSN versions, both on Windows and Linux platorms.

As Microsoft MSN, aMSN have a nice feature for Exporting and Importing the list of
contacts you have.

This list is dumped into an XML file (file extension .ctt), with this structure

——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact> your_contact@xxxx.yy ("your_contact@xxxx.yy")</contact>
</contactlist>
</service>
</messenger>
——————————————————————–


aMSN does not Validate correctly the Contacts you insert, precisely does not parse
the format of this file, and suddenly when you import a malformed Contact List it
shutdown

here an example of malformed input list

——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy ("AAAAAAAAAAAAAAAAAAAAAAA@xxxx.yy")</contact>
</contactlist>
</service>
</messenger>
——————————————————————-


Or another possibility

——————————————————————-
<?xml version=”1.0″?>
<messenger>
<service name=”.NET Messenger Service”>
<contactlist>
<contact><contact><contact><contact>
<contact></contact></contact><contact>
</contact></contact></contact></contact>
</contact>
</contactlist>
</service>
</messenger>
——————————————————————-


This will cause a freeze of aMSN..

If you use the same “trick” with Ms Messenger, a MessageBox will advice you of the malformed
file

See you to the next post

dELTA
February 3rd, 2008, 13:18
Even if it's not remotely exploitable, it seems like a likely stack buffer overflow vulnerability (thus with possible arbitrary code execution possibilities), so maybe the risk is at least a little more that "low" (and maybe iDefense will (or rather would have) given you a few bucks for it).

evilcry
February 7th, 2008, 03:29
Hello,

Yeah indeed in certain cases this bug, can be exploitable, just by modelling the code inside <contact> TAGs

But in a first moment i don't released this, just because I've adviced aMSN Team, but no reply by these persons, so may be that I'll release a Local for that

Thanks for Advices, Delta!

Have a nice Day,
Evilcry