Disclosure date
===============
February 27, 2010

Summary
=======
Program: Gheg bot
Vector: Network traffic
Type: Null pointer dereference
Impact: Moderate (Program crashes)

Reporters
=========
Juan Caballero
 http://www.andrew.cmu.edu/user/juanca/
Pongsin Poosankam
 http://www.andrew.cmu.edu/user/ppoosank/

Both reporters are Ph.D. students working with the BitBlaze group at
UC Berkeley.
http://bitblaze.cs.berkeley.edu/

Program description
===================
The program that contains the vulnerability is a Gheg bot.
Other aliases for this bot are: Tofsee, and Mondera.

The vulnerability is present on multiple Gheg binaries.
We have verified the vulnerability on the below binaries, but
other bot binaries could also be affected.

Binary #1
MD5: f222e77510be80f98ea1430dc13768c2
SHA1: a3fbe903c16197f1b55a14699ab91850082a6aec
SHA256: 09d3fcc60db6979b9e336952d4fed50aaf24c7eac74aa27b512cd6dbe82e921b

Binary #2
MD5: 287b835b707383a2b31e078781d0b5b8
SHA1: bfafbbc9c0d8c3df16c5190572fdcedba7246e05
SHA256: 31af3af0dc67cd288202bc8697704cebe1e72ac7d401b5b51408c4002738b6e3

Binary #3
MD5: edde44883bd0027d68373f3973bf401e
SHA1: 2b2b2d87142d0ded574b5b6dcc05486698f50792
SHA256: 2df061b36846fe4f6ac097b02e85b5e89889ed2a749a1e8fd6507911fcc53613

Binary #4
MD5: 83977366056d0bb74b8d47487c20b0b6
SHA1: d5e317cdb61c54e8bd5192c4896805032a4aad37
SHA256: 917de26157612df38b44240b151eb22f0900de2c949758aad8434822d8dfdc23

Binary #5
MD5: cdbd86068c9ddc1fa2556dfd37246604
SHA1: d2e681a48b20fcc8aca876d86857d2df77e8ce45
SHA256: 7527f9dbad0a661c671b61a01c2d527a6838854c4ff061b3fe305642e90bf1c0

Platforms affected
==================
The bug has been tested using the above binaries on a Windows XP SP3
platform.

Vulnerable function
===================
In process: aog.exe (or whatever name the binary takes)
Function entry point: sub_0x407236

Impact
======
Moderate (program crashes)

Reproducible
============
The bug is reproducible.
We have an input that will crash the process when sent to the bot.

Vulnerability description
=========================
The vulnerability is a null pointer dereference.

One of the messages in the program's command-and-control (C&C) protocol
contains an array size field. The value of that field is multiplied by a
constant (0x1e8) and the result is used as the size parameter in a call
ntdll::RtlAllocateHeap. The return value of the allocation is not checked by
the program. The program later writes into the allocated buffer.

When the array size field provided is large enough, the call to
ntdll::RtlAllocateHeap fails, and the function returns a null pointer. The
program fails to check that the returned value is a null pointer and tries
to dereference the null pointer.

Setup
=====
In order to exploit this vulnerability the bot needs to connect to the
server that will hand the input (the bot starts the connection to
target port tcp/443).


More information
================
More information on this malware bug finding project can be found at:
http://bitblaze.cs.berkeley.edu/bugfinding.html

More information about the Gheg botnet can be found:
http://blogs.techrepublic.com.com/10things/?p=1373
http://www.secureworks.com/research/threats/botnets2009/
http://www.m86security.com/trace/i/Gheg,spambot.897~.asp