Disclosure date
===============
July 22, 2010

Summary
=======
Program: Cutwail bot
Vector: Network traffic
Type: Buffer overrun
Impact: High (Out-of-bounds write)

Reporters
=========
Pongsin Poosankam
 http://www.andrew.cmu.edu/user/ppoosank/
Edward Xuejun Wu
 http://edwardxwu.com/
Juan Caballero
 http://www.andrew.cmu.edu/user/juanca/

Pongsin Poosankam and Juan Caballero are Ph.D. students working with
the BitBlaze group at UC Berkeley.
Edward Xuejun Wu is an undergraduate researcher in the Bitblaze group.
http://bitblaze.cs.berkeley.edu/

Program description
===================
The program that contains the vulnerability is a Cutwail bot.
Other aliases for this bot are: Pushdo, Pushu, and Pandex.

The vulnerability is present on multiple Cutwail binaries.
We have verified the vulnerability on the below binaries, but
other bot binaries could also be affected.

Binary #1
MD5: 3b9c3d653c3e5cb40c93e9599ee507de
SHA1: 3277a9dd2d1f9a242d431ca76e2a8362221da129
SHA256: 98b368e66ec3e3e583603fbd8ab575c44e9a11f0733062b1ce179fea0f004731

Binary #2
MD5: 1fb0dad6937c9faf8826bc18bd351279
SHA1: a4bb67e919b41782b5049b80dffabf7944c02886
SHA256: 316a317fe1b8ed6575e98468741810b54de8854648b25411424a73280b92ac45

Platforms affected
==================
The bug has been tested using the above binaries on a Windows XP SP3
platform.

Vulnerable function
===================
In process: svchost.exe
Function entry point: sub_0x9501380

Impact
======
High (Out-of-bounds write)

Reproducible
============
The bug is reproducible.
We have an input that will crash the process when sent to the bot.

Vulnerability description
=========================
The vulnerability is a buffer overrun that leads to an out-of-bounds write.
One of the C&C messages contains an array.
Each record in the array in the received message contains a length field
specifying the length of the record.
This record length field is used as the size
parameter in a call ntdll::RtlAllocateHeap.
The returned pointer is stored into a global array that can only
hold 50 records.
If the array in the received message has more than 50 records, then
then 51st record is written outside the bounds of the global array.

Setup
=====
In order to exploit this vulnerability the bot needs to connect to the
server that will hand the input (the bot starts the connection to target
port tcp/80).


More information
================
More information on this malware bug finding project can be found at:
http://bitblaze.cs.berkeley.edu/bugfinding.html

More information about the Cutwail botnet can be found at:
http://blogs.techrepublic.com.com/10things/?p=1373
http://www.secureworks.com/research/threats/botnets2009/
http://www.m86security.com/labs/i/Pushdo,spambot.900~.asp