lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 Nov 2005 11:35:26 -0800
From: Cory Altheide <cory@...gle.com>
To: bugtraq@...urityfocus.com
Subject: Re: New Bug KESM in GoogleTalk


> From: natalylopez380@...mail.com
> To: bugtraq@...urityfocus.com
> Subject: New Bug KESM in GoogleTalk
>
> Hi!! My name is Nataly Lopez, I'm a 17 years old girl living in
> Venezuela; I have always loved computer security because that's also
> my father's work.
> Well, the reason for me to post this is for telling you about a bug in
> Google Talk I discovered with my friend chris77 (#velug @
> irc.freenode.net) this afternoon.
> Google Talk's excellent features allow the user to know when contacts
> send mails without configuring any passports, etc., well, you know
> that. What's really funny is: one can generate remote errors in the
> users' systems connected to Google Talk, and thus creating a kind of
> DoS. So Google Talk stops working if it has email notification
> enabled: it suffices to type this command in a Linux shell (nail must
> be installed of course):
>
> echo kill | nail -s Kill -r "" victim@...il.com
>
> This instruction is quite simple, and will send an email to the user
> being connected to Google Talk from a certain "unknown sender", and as
> you can see, GoogleTalk Windows client cannot notify <> is sending an
> email. Therefore, an error windows appears on screen:
>
> [ Google Talk encountered an internal error, and must now close. Ok to
> report this error to Google? ]
> [Yes] [No]
>
> We called this bug KESM, which stands for "Killer Empty Sender
> Message" :) and one can easily implement it into a loop, keeping the
> victim busy clicking on the YES button and resetting his connection to
> Google Talk.
>
> That's all for now folks :-)

Google has investigated this report and verified the validity of this
bug.  It is fixed in the current version of Google Talk (1.0.0.76),
which is available at http://www.google.com/talk/.  Existing users are
being updated automatically.

We take the security of our services and users very seriously, and
work to rapidly resolve any reported vulnerabilities.  In the interest
of minimizing the impact that security vulnerabilities have on our end
users, we highly encourage anyone who discovers a vulnerability in a
Google product or service to follow responsible disclosure policies by
contacting us first at security@...gle.com.

--
-- Cory Altheide
-- Incident Response Lead
-- Google Security Team
-- security@...gle.com


Powered by blists - more mailing lists