####################################################################### Luigi Auriemma Application: Qt http://qt.nokia.com Versions: <= 4.6.3 Platforms: Windows, Mac OS X, Linux, mobile devices Bug: QSSLsocket endless loop Exploitation: remote, versus server Date: 29 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Qt is a cross-platform application and UI framework. Using Qt, you can write web-enabled applications once and deploy them across desktop, mobile and embedded operating systems without rewriting the source code." ####################################################################### ====== 2) Bug ====== The part of the network library which handles the SSL connection can be tricked into an endless loop that freezes the whole application with CPU at 100%. The problem is located in the QSslSocketBackendPrivate::transmit() function in src_network_ssl_qsslsocket_openssl.cpp that never exits from the main "while" loop. Any application that acts as a server (and client, but has no security impact in this scenario) and uses SSL through the QSslSocket class is vulnerable and some examples are the Mumble server (Murmur), Multi-Computer Virtual Whiteboard and so on. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/qtsslame.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################