Qt 4.6.3 - 'QSslSocketBackendPrivate::transmit()' Denial of Service

EDB-ID:

14268




Platform:

Multiple

Date:

2010-07-08


Source:
http://aluigi.org/adv/qtsslame-adv.txt

#######################################################################

Luigi Auriemma

Application: Qt
http://qt.nokia.com
Versions: <= 4.6.3
Platforms: Windows, Mac OS X, Linux, mobile devices
Bug: QSSLsocket endless loop
Exploitation: remote, versus server
Date: 29 Jun 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Qt is a cross-platform application and UI framework.
Using Qt, you can write web-enabled applications once and deploy them
across desktop, mobile and embedded operating systems without rewriting
the source code."


#######################################################################

======
2) Bug
======


The part of the network library which handles the SSL connection can be
tricked into an endless loop that freezes the whole application with
CPU at 100%.

The problem is located in the QSslSocketBackendPrivate::transmit()
function in src_network_ssl_qsslsocket_openssl.cpp that never exits
from the main "while" loop.

Any application that acts as a server (and client, but has no security
impact in this scenario) and uses SSL through the QSslSocket class is
vulnerable and some examples are the Mumble server (Murmur),
Multi-Computer Virtual Whiteboard and so on.


#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/qtsslame.zip
or
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/14268.zip (qtsslame.zip)


#######################################################################

======
4) Fix
======


No fix.


#######################################################################