LAN Messenger v1.2.28 - Persistent Software Vulnerability

2012-05-16T00:00:00
ID 1337DAY-ID-18281
Type zdt
Reporter Benjamin K.M.
Modified 2012-05-16T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            Title:
======
LAN Messenger v1.2.28 - Persistent Software Vulnerability

Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
LAN Messenger is a free and open source cross-platform instant messaging application for communication over a 
local network. It does not require a server. A number of useful features including event notifications, file transfer 
and message logging are provided.

(Copy of the Website: http://lanmsngr.sourceforge.net )

Details:
========
A persistent software vulnerability is detected in in LAN Messenger v1.2.28. The bug is located in the profile display 
& nickname validation of the software. The vulnerability allows an attacker (remote) to implement own malicious script codes as 
profile. The code is getting executed when the attacker writes the victim a message. The vulnerable nickname input is getting 
executed as output of the messagebox when processing to write a message. Successful exploitation can lead in persistent hijacking, 
external malicious redirects, persistent script code execution to compromise the connected network client system.

Vulnerable Module(s):
				[+] Username as seen by Contacts - Messagebox Display & Input

Risk:
=====
The security risk of the persistent remote web vulnerability is estimated as high.



#  0day.today [2018-04-08]  #