I’ve been away for a while. Yet I’m here with a new story for you!
This is a short story of me encountering a vulnerability while analyzing a malware. I hope you will enjoy it
If you have read the black covered “Secrets of Reverse Engineering” you may remember Hackarmy botnet client. Its a really old IRC botnet malware from 2009. I was supposed to analyse it during an assesment I have entered. Questions were relatively trivial like; “What’s the c2 this malware connects to?” and such. But while I was inspecting its code, something caught my attention in its IRC command parser.
This malware connects to an IRC server which is hardcoded inside it. Joins a specific channel. Then starts waiting to receive commands through private message.
Normally, it expects a specific password value to be sent before starting to process anything. This prevents unauthorized execution of a command.
However this vulnerability is directly in a part which is parsing “PRIVMSG” command of IRC. So crashing this malware doesn’t require any knowledge of password beforehand. Yay!
Take a look at the following snippet
When malware receives a data over the network:
- It first compares first 7 bytes to “PRIVMSG” to see if it has received an irc private message.
- If its indeed a private message it searches the string " :" (without quotes) and retrieves the beginning address of first occurence.
Now lets take a look at what a PRIVMSG command looks like.
PRIVMSG Wiz :Hello are you receiving this message ?
So according to search operation above now you got;
- " :Hello are you receiving this message?"
Afterward it calculates address_of_first_occurence + 2, namely the location which actual body of the message begins. It then proceed to read the first byte and compare it to char ‘!’ (some commands this malware receive start with exclamation mark).
Here the malware assumes PRIVMSG commands will indeed contain a space and column. I went on to try to send one without it and see what will happen. As I suspected the IRC server redirected the private message nonetheless. And since malware couldn’t parse it properly it crashed.
But what happened exactly? By definition, the function strstr() returns zero if no occurences found.
Afterward the malware tried to calculate beginning of message body: address_of_first_occurence+2 which is actually 0+2 since strstr() returned a null pointer. Then it tried to read from address 0x2. Since this address is reserved for kernel it is inaccessible by a userland application. Operating system noticed this read attempt and crashed the application as a way of telling it to mind its own damn business
So this was the vulnerability I found. No need to say that I have passed the assessment
You may watch the video below if you would like to see a live demonstration!
I hope you enjoyed this thread see you in the next one