[NT] Ares FileShare Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Ares FileShare Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.aresfileshare.com/> Ares Fileshare is "a P2P application that 
supports connecting to several P2P networks eg, Gnutella and OpenFT".

A buffer overflow vulnerability has been discovered in Ares FileShare 
software. The buffer overflow can be triggered whenever the program 
initiates a search containing an arbitrarily long string.

DETAILS

Vulnerable Systems:
 * Ares FileShare version 1.1

Exploitation of a buffer overflow vulnerability in Ares FileShare could 
allow execution of arbitrary code. A specially crafted .conf file 
(ares.conf - configuration file of Ares FileShare) containing long 
searched strings history information or entering a long string for Search 
can cause Ares FileShare to overwrite stack space. No checks are made on 
the length of data being copied, When a string data is longer than 1065 
bytes (1066 or longer), allowing the return address on the stack to be 
overwritten (in UNICODE).

Successful exploitation allows remote and local attackers to execute 
arbitrary code in the context of the target user that opened the malicious 
configuration file or entering specially crafted search data. After this 
when user starts Ares FileShare program and selects this malicious entry 
from Search Listbox, buffer overflow occurs.

An example malicious ares.conf file is that contains long search history 
data:
history = AAAAA.....[ A x 1065 bytes (where the EIP starts in UNICODE) 
]AA...\r\n

The data that is written onto the stack is in the form: 0x00410041

41s in hexadecimal = 'A's are controlled by the input. While this tends to 
make exploitation more difficult, it does not prevent it, as it may be 
possible for an attacker to cause controlled data to be put into a memory 
location matching the required format.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:kozan@xxxxxxxxxxxxxxxxxx> 
kozan.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.