Full Disclosure mailing list archives
ScatterChat Advisory 2006-02: Win32 Tor Client Routing and Denial of Service Vulnerabilities
From: "ScatterChat Advisories" <sc_advisories () hacktivismo com>
Date: Sat, 2 Sep 2006 21:06:11 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ScatterChat Advisory 2006-02: Win32 Tor Client Routing and Denial of Service Vulnerabilities Technical Report September 2nd, 2006 CVE ID: CVE-2006-4508 OSVDB: 28276, 28277 SUMMARY ScatterChat (http://www.scatterchat.com/) is an instant messaging project that aims to provide encryption and anonymity support with Tor to non-technical users such as human rights activists and political dissidents. Vulnerabilities were found in the external Tor program that is packaged with the Windows installer. This vulnerability allows a Tor entry node to route traffic through the client, or to cause a denial of service by crashing the Tor process with malformed input. The impact of this vulnerability is low. DETAILS The official Tor advisory can be found at: http://archives.seul.org/or/announce/Aug-2006/msg00001.html IMPACT The end-user impact of this issue is low. Should a malicious or compromised Tor entry node successfully exploit these issues, the local user's Tor process would crash, and/or the user's machine would route traffic to other Tor nodes. Routing unwanted traffic would cause bandwidth resources to be consumed as long as ScatterChat is running. SOLUTION All Windows users who employ ScatterChat's anonymity feature are strongly encouraged to upgrade to ScatterChat v1.0.2: http://www.scatterchat.com/download/v1.0.2/scatterchat-1.0.2.exe http://www.scatterchat.com/download/v1.0.2/scatterchat-1.0.2.exe.sig CONTACT J. Salvatore Testa II jtesta--at--hacktivismo--dot--com http://www.scatterchat.com/jtesta_2006.asc 3428 E58E 715E C37D 2AA7 C55E 97D1 DE8C 4B26 2B62 - - ---- A less technical summary of this advisory can be found at: http://www.scatterchat.com/advisories/2006-02_non_tech.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE+iHXl9HejEsmK2IRAinIAKC9dHPNc+XJzcX4EeNXI2xilDxOFACfW9LG qtJQVqTJoHgbb/vXCv0+sQo= =mw1y -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ScatterChat Advisory 2006-02: Win32 Tor Client Routing and Denial of Service Vulnerabilities ScatterChat Advisories (Sep 02)