Jabberd2 C2S module buffer overflow

jabberd2-c2s-bo (18238) The risk level is classified as HighHigh Risk

Description:

Jabberd2 is vulnerable to a buffer overflow in the C2S module. By sending a long username to Jabberd2, a remote attacker could overflow a buffer and execute arbitrary code or cause the server to crash.


Consequences:

Gain Access

Remedy:

Apply the patch for this vulnerability, as listed in the Full Disclosure Mailing List posting dated Tue Nov 23 2004 - 21:24:17 CST. See References.

References:

  • Full-Disclosure Mailing List, Tue Nov 23 2004 - 21:24:17 CST: Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows.
  • Jabbert 2 Web site: jabberd project.
  • BID-11231: Jabber Studio JabberD Remote Denial Of Service Vulnerability
  • BID-11741: Jabber Server Multiple Remote Buffer Overflow Vulnerabilities
  • CVE-2004-0953: Buffer overflow in the C2S module in the open source Jabber 2.x server (Jabberd) allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long username.
  • CVE-2004-1378: The expat XML parser code, as used in the open source Jabber (jabberd) 1.4.3 and earlier, jadc2s 0.9.0 and earlier, and possibly other packages, allows remote attackers to cause a denial of service (application crash) via a malformed packet to a socket that accepts XML connections.
  • GLSA-200409-31: jabberd 1.x: Denial of Service vulnerability
  • OSVDB ID: 10257: Multiple Jabber Client Malformed Byte Sequence DoS
  • SA12636: jabberd / jadc2s XML Parsing Denial of Service Vulnerability
  • SECTRACK ID: 1011383: jabberd XML Parsing Bug Lets Remote Users Crash the Service
  • SECTRACK ID: 1011384: jadc2s XML Parsing Bug Lets Remote Users Crash the Service

Platforms Affected:

  • Gentoo Linux
  • jabberd project Jabberd 2.x

Reported:

Nov 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page