SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   MSN Messenger Vendors:   Microsoft
MSN Messenger Protocol '.pif' Group Conversation Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1014444
SecurityTracker URL:  http://securitytracker.com/id/1014444
CVE Reference:   CVE-2005-2225   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Jul 11 2005
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   Diabolic Crab reported a vulnerability in the MSN Messenger protocol. A remote authenticated user can kick users out of a group conversation.

A remote authenticated user in a group conversation can send a plain text message containing the text ".pif" to kick all of the users in the conversation out of the conversation.

Additional information is available at:

http://www.messenger-blog.com/?p=146
Impact:   A remote authenticated user can kick users out of a group conversation.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 11 Jul 2005 00:54:33 +0530
Subject:  Msn Messenger Protocol has a vulnerability that allows kicking of all users in a group conversation.

X-SecurityTracker-Received: Mon, 11 Jul 2005 03:38:44 -0400

 http://www.digitalparadox.org/viewadvisories.ah?view=45

Msn Messenger Protocol has a vulnerability that allows kicking of all users in a group conversation.
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.dbtech.org

Severity: High
Title: Msn Messenger Protocol has a vulnerability that allows kicking of all users in a group conversation.
Date: 10/07/2005

Details:

While in a group conversation, sending a plain text message containing ".pif" causes not just you, but all the users in
the conversation to be kicked. It also makes it impossible to figure out which one of the users has caused the "booting"
to take place.

You can read a article about this at, http://www.messenger-blog.com/

Also, a special thank you to TB regarding this issue, as he has taken on the job of further investigating it.

UPDATE: It also seems to work on gaim, and therefore is probably a msn server, or protocol issue.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com,
please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.
 

Sincerely,
Diabolic Crab


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC