Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Goatse Security EMERGENCY RELEASE - RAMPANT VULNERABILITY SPREADING LIKE WILDFIRE

From: Laurelai Storm <laurelai () oneechan org>
Date: Tue, 21 Jun 2011 21:31:34 -0500
this vulnerability is very old

On Tue, Jun 21, 2011 at 4:12 PM, DiKKy Heartiez
<dikkyheartiez () hotmail com>wrote:


 We've just stumbled upon a few dangerous exploits which can be used in
conjunction to wreak havoc in online chatrooms, which could potentially be
very dangerous.


Home routers running VXWorks, such as the Netgear 614, 624, and Linksys
WRT54G v5 routers, allow remote attackers to cause a denial of service by
sending a malformed DCC SEND string to an IRC channel, which causes an IRC
connection reset, possibly related to the masquerading code for NAT
environments, and as demonstrated via (1) a DCC SEND with a single long
argument, or (2) a DCC SEND with IP, port, and filesize arguments with a 0
value.


Using such a string as


\001DCC SEND "hello.jpg" 0 0 0


would exploit this flaw.


This exploit is exacerbated by a buffer overflow vulnerability in mIRC
version 6.12 whereby using filename longer than fourteen characters will
cause the client to crash.  By combining these two flaws, we get


\001DCC SEND "loljewsdidwtc.jpg" 0 0 0


which will cause a Denial of Service condition in a minimum of four
products.


This would be bad enough, however users of Norton's Personal Firewall
product are faced with even more risk.  Symantec generally makes the BEST
security products on the market and we are very surprised that this slipped
through.  Norton's Personal Firewall will drop a connection if it detects
the string "startkeylogger" or "stopkeylogger" in incoming data.  This is to
prevent the spread of the new Spybot worm but also has unintended
consequences.  By using the string


\001DCC SEND "startkeylogger" 0 0 0


a Denial of Service condition is created on multiple hardware routers and
multiple software products.  Such exploits have been seen running rampant in
channels such as #lulzsec, #anonops, #ix, #nanog, #2600, and #phonelosers.
 Please be wary of any chats from unknown parties, and keep your software up
to date.  We will update you more as this situation unfolds.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: