lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <60500.65.37.85.220.1157245571.squirrel@webmail.korax.net>
Date: Sat, 2 Sep 2006 21:06:11 -0400 (EDT)
From: "ScatterChat Advisories" <sc_advisories@...ktivismo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: ScatterChat Advisory 2006-02: Win32 Tor Client
 Routing and Denial of Service Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ScatterChat Advisory 2006-02:  Win32 Tor Client Routing and Denial of
Service Vulnerabilities
Technical Report
September 2nd, 2006

CVE ID: CVE-2006-4508
OSVDB:  28276, 28277



SUMMARY

ScatterChat (http://www.scatterchat.com/) is an instant messaging project
that aims to provide encryption and anonymity support with Tor to
non-technical users such as human rights activists and political
dissidents.

Vulnerabilities were found in the external Tor program that is packaged
with the Windows installer.  This vulnerability allows a Tor entry node
to route traffic through the client, or to cause a denial of service by
crashing the Tor process with malformed input.

The impact of this vulnerability is low.



DETAILS

The official Tor advisory can be found at:
http://archives.seul.org/or/announce/Aug-2006/msg00001.html



IMPACT

The end-user impact of this issue is low.

Should a malicious or compromised Tor entry node successfully exploit
these issues, the local user's Tor process would crash, and/or the user's
machine would route traffic to other Tor nodes.

Routing unwanted traffic would cause bandwidth resources to be consumed
as long as ScatterChat is running.



SOLUTION

All Windows users who employ ScatterChat's anonymity feature are
strongly encouraged to upgrade to ScatterChat v1.0.2:

http://www.scatterchat.com/download/v1.0.2/scatterchat-1.0.2.exe
http://www.scatterchat.com/download/v1.0.2/scatterchat-1.0.2.exe.sig



CONTACT

J. Salvatore Testa II
jtesta--at--hacktivismo--dot--com

http://www.scatterchat.com/jtesta_2006.asc
3428 E58E 715E C37D 2AA7 C55E 97D1 DE8C 4B26 2B62


- - ----
A less technical summary of this advisory can be found at:
http://www.scatterchat.com/advisories/2006-02_non_tech.html


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE+iHXl9HejEsmK2IRAinIAKC9dHPNc+XJzcX4EeNXI2xilDxOFACfW9LG
qtJQVqTJoHgbb/vXCv0+sQo=
=mw1y
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ