GCALDaemon is "an OS-independent Java program that offers two-way synchronization between Google Calendar and various iCalendar compatible calendar applications. GCALDaemon is primarily designed as a calendar synchronizer but it can also be used as a Gmail notifier, Address Book importer, Gmail terminal and RSS feed converter".
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over HTTP, by uploading their file via an HTTP PUT and getting/refreshing their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this HTTP messages in sync with a specified Google Calendar. An input validation flaw permits to craft an HTTP request with an abnormal content-length value; this malformed request could trigger a denial of service that arises from a Java out of memory fatal error.
Credit:
The information has been provided by Luca Carettoni.
Vulnerable Systems:
* GALDaemon version 1.0-beta13
Using a crafted HTTP request, an attacker could trigger a denial of service that arises from a java.lang.OutOfMemoryError when the Java heap space is overfilled. In the file "org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's built-in HTTP server parses the HTTP request and the HTTP header parameters without validation checkpoints. In the line of code "490:org/gcaldaemon/core/http/HTTPListener.java" the "Content-Length" header parameter is used to create a new byte array; when the size of this structure is big enough, it could trigger a Java fatal error that blocks the HTTP daemon:
Exception in thread "HTTP listener" java.lang.OutOfMemoryError: Java heap space
at org.gcaldaemon.core.http.HTTPListener.readRequest(HTTPListener.java:490)
at org.gcaldaemon.core.http.HTTPListener.run(HTTPListener.java:167)
Exploit:
The provided proof-of-concept can trigger the issue.
