Tencent QQ SuperVideo Remote Denial of Service Vulnerability


QQ2006 beta3 and previous versions
QQ is a very popular IM in China developed by Tencent.There exists a remote denial of service vulnerability in QQ when using the SuperVideo chat.Current study showed that the attacker who successfully exploited the vulnerability would cause the remote client crash.

There is an attack packet as follows(0x12 length):

03 0f 43
bf //xor char
58 1b ec bf //id1
47 72 c1 9b //id2
00 05
00 6b

Notice that the following data which loading RTP header and encrypted bitmap data is empty.The following is the pasing code:

60A9512F push 2Ch ; size_t
60A95131 lea eax, [ebp-58h]
60A95134 push ebx ; int
60A95135 push eax ; void *
60A95136 mov byte ptr [ebp-4], 1
60A9513A call memset ; memset(lpDataHeader,0x00,0x2c);
60A9513F add esp, 0Ch
60A95142 lea eax, [ebp-58h] ; lpDataHeader
60A95145 mov ecx, esi
60A95147 push dword ptr [ebp+8]
60A9514A push edi
60A9514B push eax
60A9514C call sub_60A95D88 ; get the structure into lpDataHeader
60A95151 test eax, eax
60A95153 jnz short loc_60A95191

60A95D88 sub_60A95D88 proc near ; CODE XREF: sub_60A94FD3+179p
60A95D88 mov eax, offset loc_60AF0DE4
60A95D8D call __EH_prolog

60A95F28 xor eax, eax
60A95F2A cmp [ebp+10h], eax ; if (counter >0x12) ?
60A95F2D jg short loc_60A95F34 ; no jmp
60A95F2F mov [esi+24h], eax ; set lpRTPBuff=0
60A95F32 jmp short loc_60A95F50 ; jmp
60A95F34 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
60A95F34 loc_60A95F34: ; normal type
60A95F34 push dword ptr [ebp+10h]
60A95F37 call [email protected]@Z ; operator new(uint)
60A95F3C push dword ptr [ebp+10h] ; size_t
60A95F3F inc edi
60A95F40 mov [esi+24h], eax
60A95F43 push edi ; void *
60A95F44 push eax ; void *
60A95F45 call memcpy
60A95F4A mov eax, [ebp+10h]
60A95F4D add esp, 10h
60A95F50 loc_60A95F50: ; CODE XREF: sub_60A95D88+1AAj
60A95F50 push 1
60A95F52 mov [esi+28h], eax ; set dwRTPBuffLen=0
60A95F55 pop eax ; return success
60A95F56 jmp short loc_60A95ED9
60A95F56 sub_60A95D88 endp

function \"sub_60A95D88\" parse video packet header to the structure \"lpDataHeader\",their relationship is like this:

[lpDataHeader+24h] = lpRTPBuff
[lpDataHeader+28h] = dwRTPBuffLen

However,when the length of the total video packet equals to 0x12,function sub_60A95D88 sets lpRTPBuff=NULL and dwRTPBuffLen=0,but the sub function still returns successful value.The main function will deliver an NULL pointer to next protocol stack according to the returned value,so a memory access error will occur.

The code that cause memory access error as follows:

6273DE29 call sub_6274226A
|____62742285 push 3
62742287 push 0
62742289 push ebx ; lpRTPBuff=NULL
6274228A mov [ebp+var_4], esi
6274228D call sub_62742B20
|____62742B20 mov edx, [esp+arg_4]
62742B24 mov eax, [esp+arg_8]
62742B28 lea ecx, [edx+eax]
62742B2B cmp edx, ecx
62742B2D jge short locret_62742B5D
62742B2F mov eax, [esp+arg_0] ; lpRTPBuff=NULL
62742B33 push esi
62742B34 sub ecx, edx
62742B36 lea eax, [eax+edx*4+2] ; eax=2

62742B3A movzx esi, byte ptr [eax] ; memory access error

cocoruder([email protected])
Tencent has fixed this vulnerability in QQ 2006 standard,this can be downloaded from: