#######################################################################

Luigi Auriemma

Application: Qt
http://qt.nokia.com
Versions: <= 4.6.3
Platforms: Windows, Mac OS X, Linux, mobile devices
Bug: QSSLsocket endless loop
Exploitation: remote, versus server
Date: 29 Jun 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From vendor's website:
"Qt is a cross-platform application and UI framework.
Using Qt, you can write web-enabled applications once and deploy them
across desktop, mobile and embedded operating systems without rewriting
the source code."

#######################################################################

======
2) Bug
======

The part of the network library which handles the SSL connection can be
tricked into an endless loop that freezes the whole application with
CPU at 100%.

The problem is located in the QSslSocketBackendPrivate::transmit()
function in src_network_ssl_qsslsocket_openssl.cpp that never exits
from the main "while" loop.

Any application that acts as a server (and client, but has no security
impact in this scenario) and uses SSL through the QSslSocket class is
vulnerable and some examples are the Mumble server (Murmur),
Multi-Computer Virtual Whiteboard and so on.

#######################################################################

===========
3) The Code
===========

http://www.exploit-db.com/sploits/qtsslame.zip

#######################################################################

======
4) Fix
======

No fix.

#######################################################################