A vulnerability exists in eMule v0.42d (and probably earlier versions) in the DecodeBase16(...) function. This function takes an hexadecimal string, its length, and a destination buffer (on the stack) as parameters. The function decodes whatever is supplied, no length check is performed on the string nor on the buffer, leading to a possible stack overflow.
The function is called 5 times in the code: 3 times in the web server (which may require authentication) and 2 times in the IRC client (not connected by default).
Bourriquet is an mIRC alias exploiting this overflow in v0.42d via the SENDLINK command, it calls MessageBoxA (to display 'Patch your eMule !') and then ExitProcess :
An effort was also done in changing the IRC server address and kicking out vulnerable clients (nice work
Solution/Workaround -------------------
The following options are available: - upgrade to eMule version 0.42e, - do not use the eMule web server and IRC client, - uninstall eMule
Credits -------
The vulnerability was discovered by Kostya Kortchinsky, from CERT RENATER, on March 24th 2004, following a FHP meeting and a remark from nico : "eMule and all these P2P tools are better than VNC to get remote access to a box".
Greetings to the people of the French Honeynet Project, MISC Magazine and #fee1dead@EFnet.
FakoLy
Apr 3 2004, 06:51 PM
personaly i don't use emule (nor any other p2p clients^^) but thanx for this nice info I like nico at the FHP meeting hehe Regards
Hellraiseruk
Apr 3 2004, 11:12 PM
Sounds intresting..i know plenty of people that use emul so be qwite alot vul, maybe can find the code to compile it
setthesun
Apr 4 2004, 05:02 AM
Emule is a huge P2P network and only some of them upgrade their versions. I see lots of people are using 0.3 version still.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
