SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   jadc2s Vendors:   jabberd project
jadc2s XML Parsing Bug Lets Remote Users Crash the Service
SecurityTracker Alert ID:  1011384
SecurityTracker URL:  http://securitytracker.com/id/1011384
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 22 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.9.0 and prior versions
Description:   A vulnerability was reported in jadc2s in the parsing of XML messages. A remote user can cause the target application to crash. jabberd 1.4 is also affected.

Matthias Wimmer noted that Jose Antonio Calvo reported that a remote user can send the following byte sequence to the target system to cause the jadc2s daemon to crash:

0xEF, 0xBB, 0xBF

A demonstration exploit is provided:

echo -e '\xef\xbb\xbf'|netcat ip port

The string can be sent to sockets being used by the daemon for both client and server connections.

jabberd2 version 2.0s3 is reportedly not affected.

Impact:   A remote user can cause the target daemon to crash.
Solution:   A fix is available via CVS. CVS snapshots that are newer than 2004-05-22 (jabberd14) or 2004-09-07 (jadc2s) are not affected.

A patch for jabberd 1.4.3 is available at:

http://devel.amessage.info/jabberd14/

A patch for jadc2s will be available shortly at:

http://devel.amessage.info/jadc2s/

Vendor URL:  jabberd.jabberstudio.org/1.4/doc/jadc2s (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Possible DoS attack against jabberd 1.4.3 and jadc2s 0.9.0


This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_isar.eniac.de-31197-1095673887-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

jabberd up to and including version 1.4.3 and jadc2s up to and including
version 0.9.0 are vulnerable against a DoS attack reported by Jose
Antonio Calvo yesterday on the jabberd mailing list.
(http://jabberstudio.org/pipermail/jabberd/2004-September/002004.html)

An attacker can crash a running jabberd14 server, if it has access to
one of the following types of network sockets:
- Socket accepting client connections
- Socket accepting connections from other servers
- Socket connecting to an other Jabber server
- Socket accepting connections from server components
- Socket connecting to server components
(All connections on which XML is parsed by jabberd14.)

An attacker can crash a running jadc2s component, if it has access to on
of the following types of network sockets:
- Socket accepting client connections
- Socket connecting to the main Jabber server
(All connections on which XML is parsed by jadc2s.)

The attack can be tested by sending the byte sequence 0xEF, 0xBB, 0xBF
to any of the above sockets.

The bug has been fixed in the CVS versions of both projects already some
time ago as the affected code already had been removed from both
projects. Therefore you are not affected if you are running CVS
snapshots that are newer than 2004-05-22 (jabberd14) or 2004-09-07
(jadc2s).

A patch for jabberd 1.4.3 is available at the URI
http://devel.amessage.info/jabberd14/, a patch for jadc2s has not yet
been published but will be available on
http://devel.amessage.info/jadc2s/ shortly.

Related software:
- jabberd2 version 2.0s3 is not affected by this bug.
- Other projects, that incorporate jabberd14 code might be affected by
  this bug as well. This might include the Jabber module of CenterICQ
  (only vulnerable by a Jabber server CenterICQ connects to), but I have
  not tested this yet.

--=_isar.eniac.de-31197-1095673887-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBTqgaPSc92k5Zx+YRAvMnAKCPGhfneu0s7GlY7/u+G0U2lSmC1QCfVzh/
Dy3uOZ8FsEc+NurIWH3tEDU=
=hg9Z
-----END PGP SIGNATURE-----

--=_isar.eniac.de-31197-1095673887-0001-2--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC