SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   MSN Messenger Vendors:   Microsoft
MSN Messenger Protocol '.pif' Group Conversation Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1014444
SecurityTracker URL:  http://securitytracker.com/id/1014444
CVE Reference:   CVE-2005-2225   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Jul 11 2005
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   Diabolic Crab reported a vulnerability in the MSN Messenger protocol. A remote authenticated user can kick users out of a group conversation.

A remote authenticated user in a group conversation can send a plain text message containing the text ".pif" to kick all of the users in the conversation out of the conversation.

Additional information is available at:

http://www.messenger-blog.com/?p=146

Impact:   A remote authenticated user can kick users out of a group conversation.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Msn Messenger Protocol has a vulnerability that allows kicking of all users in a group conversation.

X-SecurityTracker-Received: Mon, 11 Jul 2005 03:38:44 -0400

 http://www.digitalparadox.org/viewadvisories.ah?view=45

Msn Messenger Protocol has a vulnerability that allows kicking of all users in a group conversation.
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.dbtech.org

Severity: High
Title: Msn Messenger Protocol has a vulnerability that allows kicking of all users in a group conversation.
Date: 10/07/2005

Details:

While in a group conversation, sending a plain text message containing ".pif" causes not just you, but all the users in
the conversation to be kicked. It also makes it impossible to figure out which one of the users has caused the "booting"
to take place.

You can read a article about this at, http://www.messenger-blog.com/

Also, a special thank you to TB regarding this issue, as he has taken on the job of further investigating it.

UPDATE: It also seems to work on gaim, and therefore is probably a msn server, or protocol issue.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com,
please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.
 

Sincerely,
Diabolic Crab
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC