[19387] in bugtraq
Re: Advisory: Licq DoS +exploit
daemon@ATHENA.MIT.EDU (Graham Roff)
Tue Feb 27 15:06:52 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.33.0102261703110.9481-100000@tuna.localdomain>
Date: Mon, 26 Feb 2001 17:06:12 -0500
Reply-To: Graham Roff <graham@LICQ.ORG>
From: Graham Roff <graham@LICQ.ORG>
X-To: "Stanley G. Bubrouski" <stan@CCS.NEU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.21.0102201604400.20187-200000@denali.ccs.neu.edu>
> sent to a port it is listening on. Further testing showed that sending a
> certain amount of data to the port the Remote Management Service (RMS)
> plugin listens on it too would cause Licq to crash or lock up. The
> amount of data needed to be sent to crash Licq may vary from system to
> system. On the Red Hat linux 7.0 system I used 16707 or more bytes sent
> to the port Licq was listening on was enough to crash it. Sending around
> 12000 or more characters to the RMS plugin port was enough to crash Licq
The actual problem is due to line parsing code which uses a fixed length
(dynamically allocated) buffer of 1024 bytes. Any string of characters
longer then 1024 without a newline will crash the server. This has been
fixed in the latest CVS tree which will be released along with Licq 1.0.3
very soon.
_____________________________________________________________________
Graham Roff groff@engmail.uwaterloo.ca
University of Waterloo ICQ #2127503
Computer Engineering Canada
Nolites tes bastardes carborundorum
