mailing list archives
Gadu-Gadu, another two bugs
From: Jaroslaw Sajko <sloik () man poznan pl>
Date: Fri, 17 Dec 2004 11:23:38 +0100 (CET)
Product: Gadu-Gadu, build 155 and older
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Script execution in local zone,
Authors: Blazej Miga <bla () man poznan pl>,
Jaroslaw Sajko <sloik () man poznan pl>
Gadu-Gadu is the first Polish instant messenger used by ca. 3 millions of
people per month.
In addition to the last vulnerabilities there are two another
vulnerabilities in the build which have been released after our last
Parsing error. We can send a malicious string which has an url inside.
Code will execute when the window with message pops up. Code will execute
in LOCAL ZONE! Works also with older versions.
Send such a string to any receipent:
Beacause in this build default configuration allows sending of the images
we can send an image. There is some new feature, a loop checking filename
for disallowed characters, but the loop under some circumstances is an
infinite loop. So, if an image name isn't starting with the '..', '/', '\'
or '&#' then Gadu-Gadu applications falls into infinite loop, consumes
resources, and will not receive or send any message anymore. So we have a
simple DoS (livelock).
Send any image (filename must be a 'normal' filename) to your friend.
Please upgrade to the newest build (build 156).
Full-Disclosure - We believe in it.
- Gadu-Gadu, another two bugs Jaroslaw Sajko (Dec 18)