[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Goatse Security EMERGENCY RELEASE - RAMPANT VULNERABILITY SPREADING LIKE WILDFIRE

No shit.

========================================================
Leon Kaiser      - Head of GNAA Public Relations -
        literalka@xxxxxxx || literalka@xxxxxxxxx
       http://gnaa.eu || http://security.goatse.fr
      7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
       -- Andrew "weev" Auernheimer
========================================================
On Tue, 2011-06-21 at 21:31 -0500, Laurelai Storm wrote:

> this vulnerability is very old
> 
> 
> On Tue, Jun 21, 2011 at 4:12 PM, DiKKy Heartiez
> <dikkyheartiez@xxxxxxxxxxx> wrote:
> 
>         We've just stumbled upon a few dangerous exploits which can be
>         used in conjunction to wreak havoc in online chatrooms, which
>         could potentially be very dangerous.
>         
>         
>         Home routers running VXWorks, such as the Netgear 614, 624,
>         and Linksys WRT54G v5 routers, allow remote attackers to cause
>         a denial of service by sending a malformed DCC SEND string to
>         an IRC channel, which causes an IRC connection reset, possibly
>         related to the masquerading code for NAT environments, and as
>         demonstrated via (1) a DCC SEND with a single long argument,
>         or (2) a DCC SEND with IP, port, and filesize arguments with a
>         0 value.
>         
>         
>         Using such a string as 
>         
>         
>         \001DCC SEND "hello.jpg" 0 0 0
>         
>         
>         would exploit this flaw.
>         
>         
>         This exploit is exacerbated by a buffer overflow vulnerability
>         in mIRC version 6.12 whereby using filename longer than
>         fourteen characters will cause the client to crash.  By
>         combining these two flaws, we get
>         
>         
>         \001DCC SEND "loljewsdidwtc.jpg" 0 0 0
>         
>         
>         which will cause a Denial of Service condition in a minimum of
>         four products.
>         
>         
>         This would be bad enough, however users of Norton's Personal
>         Firewall product are faced with even more risk.  Symantec
>         generally makes the BEST security products on the market and
>         we are very surprised that this slipped through.  Norton's
>         Personal Firewall will drop a connection if it detects the
>         string "startkeylogger" or "stopkeylogger" in incoming data.
>          This is to prevent the spread of the new Spybot worm but also
>         has unintended consequences.  By using the string
>         
>         
>         \001DCC SEND "startkeylogger" 0 0 0
>         
>         
>         a Denial of Service condition is created on multiple hardware
>         routers and multiple software products.  Such exploits have
>         been seen running rampant in channels such as #lulzsec,
>         #anonops, #ix, #nanog, #2600, and #phonelosers.  Please be
>         wary of any chats from unknown parties, and keep your software
>         up to date.  We will update you more as this situation
>         unfolds.
>         
>         
>         
>         
>         _______________________________________________
>         Full-Disclosure - We believe in it.
>         Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>         Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/