Debian Bug report logs - #557754
amsn: CVE-2006-0138 denial-of-services

version graph

Package: amsn; Maintainer for amsn is Vivia Nikolaidou <n.vivia@gmail.com>; Source for amsn is src:amsn.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Tue, 24 Nov 2009 05:36:01 UTC

Severity: important

Tags: security

Found in version amsn/0.98.1-1

Fixed in version amsn/0.98.9-1

Forwarded to https://sourceforge.net/tracker/?func=detail&aid=2921641&group_id=54091&atid=472655

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>:
Bug#557754; Package amsn. (Tue, 24 Nov 2009 05:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>. (Tue, 24 Nov 2009 05:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 24 Nov 2009 00:33:59 -0500
Package: amsn
Version: 0.98.1-1
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published quite a while ago for amsn.  Please check whether these
issues still exist.  If so, you may want to issue proposed-updates for
the stable releases.

CVE-2006-0138[0]:
| aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
| denial of service (client hang and termination of client's
| instant-messaging session) by repeatedly sending crafted data to the
| default file-transfer port (TCP 6891).

CVE-2007-2195[1]:
| aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers
| to cause a denial of service (application crash) by sending invalid
| data to TCP port 31337.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0138
    http://security-tracker.debian.org/tracker/CVE-2006-0138
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2195
    http://security-tracker.debian.org/tracker/CVE-2007-2195




Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Sat, 26 Dec 2009 16:18:02 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'https://sourceforge.net/tracker/?func=detail'. Request was from muammar@proyectociencia.org (Muammar El Khatib) to control@bugs.debian.org. (Sun, 27 Dec 2009 19:00:03 GMT) Full text and rfc822 format available.

Changed Bug forwarded-to-address to 'https://sourceforge.net/tracker/?func=detail&aid=2921641&group_id=54091&atid=472655' from 'https://sourceforge.net/tracker/?func=detail' Request was from muammar@proyectociencia.org (Muammar El Khatib) to control@bugs.debian.org. (Sun, 27 Dec 2009 19:06:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#557754; Package amsn. (Tue, 05 Jan 2010 13:36:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Muammar El Khatib <muammarelkhatib@gmail.com>:
Extra info received and forwarded to list. (Tue, 05 Jan 2010 13:36:10 GMT) Full text and rfc822 format available.

Message #16 received at 557754@bugs.debian.org (full text, mbox):

From: Muammar El Khatib <muammarelkhatib@gmail.com>
To: 557754@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 5 Jan 2010 09:04:30 -0430
[Message part 1 (text/plain, inline)]
Hi Michael,

On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
<michael.s.gilbert@gmail.com> wrote:
> Package: amsn
> Version: 0.98.1-1
> Severity: important
> Tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published quite a while ago for amsn.  Please check whether these
> issues still exist.  If so, you may want to issue proposed-updates for
> the stable releases.
>
> CVE-2006-0138[0]:
> | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
> | denial of service (client hang and termination of client's
> | instant-messaging session) by repeatedly sending crafted data to the
> | default file-transfer port (TCP 6891).
>

I have confirmed this one. And a screenshot can be found attached to this mail.

> CVE-2007-2195[1]:
> | aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers
> | to cause a denial of service (application crash) by sending invalid
> | data to TCP port 31337.
>

This second one seems to not be valid. When I execute the exploit,
which was written in Python, I get this:
muammar@obey:~/src/main/programs/amsn/amsn-0.98.1$ python 23583.py

Traceback (most recent call last):
  File "23583.py", line 8, in <module>
    s.connect((HOST, PORT))
  File "<string>", line 1, in connect
socket.error: (111, 'Connection refused')

It seems that aMSN is not opening that port at any time. I probed with
other ports which were open but nothing happened. Anyways, I am trying
to see if this can be reproduced. At least I can say for sure that the
first one still exists.

> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0138
>    http://security-tracker.debian.org/tracker/CVE-2006-0138
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2195
>    http://security-tracker.debian.org/tracker/CVE-2007-2195

I have forwarded this bug upstream. Thanks for reporting.

Regards
-- 
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
  ,''`.
 : :' :
 `. `'
   `-
[cve-2006-0138.png (image/png, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>:
Bug#557754; Package amsn. (Sun, 24 Jan 2010 08:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>. (Sun, 24 Jan 2010 08:27:02 GMT) Full text and rfc822 format available.

Message #21 received at 557754@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: 557754@bugs.debian.org
Subject: updates
Date: Sun, 24 Jan 2010 00:22:19 -0800
severity 557754 important
thanks

Both of these issues are denials of service, so I'm reducing severity
to "important".  Additionally, upstream seems to indicate in their bug
report that CVE-2007-2195 does not exist any more.

-- 
Kees Cook                                            @debian.org




Severity set to 'important' from 'grave' Request was from Kees Cook <kees@debian.org> to control@bugs.debian.org. (Sun, 24 Jan 2010 08:27:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>:
Bug#557754; Package amsn. (Tue, 13 Dec 2011 17:06:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>. (Tue, 13 Dec 2011 17:06:07 GMT) Full text and rfc822 format available.

Message #28 received at 557754@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Muammar El Khatib <muammarelkhatib@gmail.com>
Cc: 557754@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 13 Dec 2011 18:01:58 +0100
On Tue, Jan 05, 2010 at 09:04:30AM -0430, Muammar El Khatib wrote:
> Hi Michael,
> 
> On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
> <michael.s.gilbert@gmail.com> wrote:
> > Package: amsn
> > Version: 0.98.1-1
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following CVE (Common Vulnerabilities & Exposures) ids were
> > published quite a while ago for amsn.  Please check whether these
> > issues still exist.  If so, you may want to issue proposed-updates for
> > the stable releases.
> >
> > CVE-2006-0138[0]:
> > | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
> > | denial of service (client hang and termination of client's
> > | instant-messaging session) by repeatedly sending crafted data to the
> > | default file-transfer port (TCP 6891).
> >
> 
> I have confirmed this one. And a screenshot can be found attached to this mail.

What's the status?

Has this been fixed in the last approx. two years?

Cheers,
        Moritz
       




Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>:
Bug#557754; Package amsn. (Tue, 13 Dec 2011 17:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Muammar El Khatib <muammarelkhatib@gmail.com>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>. (Tue, 13 Dec 2011 17:15:06 GMT) Full text and rfc822 format available.

Message #33 received at 557754@bugs.debian.org (full text, mbox):

From: Muammar El Khatib <muammarelkhatib@gmail.com>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 557754@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 13 Dec 2011 18:11:23 +0100
On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Tue, Jan 05, 2010 at 09:04:30AM -0430, Muammar El Khatib wrote:
>> Hi Michael,
>>
>> On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
>> <michael.s.gilbert@gmail.com> wrote:
>> > Package: amsn
>> > Version: 0.98.1-1
>> > Severity: important
>> > Tags: security
>> >
>> > Hi,
>> >
>> > The following CVE (Common Vulnerabilities & Exposures) ids were
>> > published quite a while ago for amsn.  Please check whether these
>> > issues still exist.  If so, you may want to issue proposed-updates for
>> > the stable releases.
>> >
>> > CVE-2006-0138[0]:
>> > | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
>> > | denial of service (client hang and termination of client's
>> > | instant-messaging session) by repeatedly sending crafted data to the
>> > | default file-transfer port (TCP 6891).
>> >
>>
>> I have confirmed this one. And a screenshot can be found attached to this mail.
>
> What's the status?
>

Upstream seems to not care about it.

> Has this been fixed in the last approx. two years?
>

No, it has not... I am not sure I'd be able to fix this by myself, btw.


-- 
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
  ,''`.
 : :' :
 `. `'
   `-




Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>:
Bug#557754; Package amsn. (Tue, 13 Dec 2011 17:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>. (Tue, 13 Dec 2011 17:27:03 GMT) Full text and rfc822 format available.

Message #38 received at 557754@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Muammar El Khatib <muammarelkhatib@gmail.com>, 557754@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 13 Dec 2011 18:21:39 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Muammar El Khatib <muammarelkhatib@gmail.com> [2011-12-13 18:16]:
> On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
[...] 
> >> I have confirmed this one. And a screenshot can be found attached to this mail.
> >
> > What's the status?
> >
> 
> Upstream seems to not care about it.
> 
> > Has this been fixed in the last approx. two years?
> >
> 
> No, it has not... I am not sure I'd be able to fix this by myself, btw.

Given the number of instant messaging clients in the archive, what about 
removing amsn? I doubt it would stand a serious audit anyway and given that it 
is written in tcl, I also doubt it can be properly maintained by anyone who is 
not the upstream.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>:
Bug#557754; Package amsn. (Tue, 13 Dec 2011 17:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Muammar El Khatib <muammarelkhatib@gmail.com>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>. (Tue, 13 Dec 2011 17:33:03 GMT) Full text and rfc822 format available.

Message #43 received at 557754@bugs.debian.org (full text, mbox):

From: Muammar El Khatib <muammarelkhatib@gmail.com>
To: Nico Golde <nion@debian.org>
Cc: 557754@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 13 Dec 2011 18:29:11 +0100
On Tue, Dec 13, 2011 at 18:21, Nico Golde <nion@debian.org> wrote:
> Hi,
> * Muammar El Khatib <muammarelkhatib@gmail.com> [2011-12-13 18:16]:
>> On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> [...]
>> >> I have confirmed this one. And a screenshot can be found attached to this mail.
>> >
>> > What's the status?
>> >
>>
>> Upstream seems to not care about it.
>>
>> > Has this been fixed in the last approx. two years?
>> >
>>
>> No, it has not... I am not sure I'd be able to fix this by myself, btw.
>
> Given the number of instant messaging clients in the archive, what about
> removing amsn? I doubt it would stand a serious audit anyway and given that it
> is written in tcl, I also doubt it can be properly maintained by anyone who is
> not the upstream.

That's right. There many IM clients out there. I don't have a strong
opinion on removing aMSN. What I don't know is if it will not
like/will affect to the users of it (given the statistics in popcon).

On the other hand, I have read on the webpage of aMSN that they plan
to release (some day) a version based on Python. I have already tested
such a version, and it is not in that good shape still.

Finally, I am inclined to accept that which be better for Debian
either being removing aMSN or not.

Regards,

-- 
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
  ,''`.
 : :' :
 `. `'
   `-




Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>:
Bug#557754; Package amsn. (Thu, 15 Dec 2011 23:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>. (Thu, 15 Dec 2011 23:21:03 GMT) Full text and rfc822 format available.

Message #48 received at 557754@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 557754@bugs.debian.org
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Thu, 15 Dec 2011 18:19:27 -0500
> That's right. There many IM clients out there. I don't have a strong
> opinion on removing aMSN. What I don't know is if it will not
> like/will affect to the users of it (given the statistics in popcon).
>
> On the other hand, I have read on the webpage of aMSN that they plan
> to release (some day) a version based on Python. I have already tested
> such a version, and it is not in that good shape still.
>
> Finally, I am inclined to accept that which be better for Debian
> either being removing aMSN or not.

Please submit a bug against psuedo package ftp.debian.org requesting
removal of your package.

Thanks,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>:
Bug#557754; Package amsn. (Tue, 05 Jun 2012 15:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Armin K." <krejzi@email.com>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>. (Tue, 05 Jun 2012 15:42:03 GMT) Full text and rfc822 format available.

Message #53 received at 557754@bugs.debian.org (full text, mbox):

From: "Armin K." <krejzi@email.com>
To: 557754@bugs.debian.org
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 05 Jun 2012 17:32:56 +0200
On my system the CVE-2006-0138 is not present. I've tried using default 
STARTING file transfer port (6891) and it said that connection was 
refused. Then I found out that my amsn is listening on another port. I 
tried that port too, data were sent, but amsn didn't crash nor disconnect.

tcp        0      0 0.0.0.0:61152           0.0.0.0:* 
LISTEN      10969/wish

I used this script when I tested this issue 
http://www.securiteam.com/exploits/5JP090KHFQ.html

Also, my aMSN is 0.98.9 05/23/2012 so I guess it was fixed within 0.98.4 
- 0.98.9 ... Can aMSN be put back into book? It is as far the best MSN 
only client available for Linux. (Emesene 1.63 was good too, but it does 
not work anymore for me)




Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>:
Bug#557754; Package amsn. (Tue, 10 Jul 2012 14:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gianfranco Costamagna <costamagnagianfranco@yahoo.it>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>. (Tue, 10 Jul 2012 14:36:04 GMT) Full text and rfc822 format available.

Message #58 received at 557754@bugs.debian.org (full text, mbox):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
To: "557754@bugs.debian.org" <557754@bugs.debian.org>
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 10 Jul 2012 15:33:44 +0100 (BST)
[Message part 1 (text/plain, inline)]

 Hi everybody, please look at [1] the new amsn 0.98.9 fixes those vulnerabilities, so can please you consider adding amsn back?


thanks
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=CAO3MEfCKyEDFo%2BFuwkFepb2akUgMKVdvmNU9UsF%2B6kUdV0zxnw%40mail.gmail.com&forum_name=amsn-devel
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>:
Bug#557754; Package amsn. (Tue, 10 Jul 2012 15:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>. (Tue, 10 Jul 2012 15:36:04 GMT) Full text and rfc822 format available.

Message #63 received at 557754@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, 557754@bugs.debian.org
Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services
Date: Tue, 10 Jul 2012 16:32:54 +0100
Hi,

Someone already tried, but there were packaging issues which means it
wasn't accepted yet.  In fact (quoting from the reviewer's reasons for
rejection) :

> This package is
> not suitable for inclusion in the archive, not until it has been
> pretty much redone from scratch.
> 
> Especially so, because this is a reintroduction attempt of something
> that has been removed on request of QA.

Even if all this can be done, it would be too late to be included in the
Wheezy release unfortunately.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org




Marked as fixed in versions amsn/0.98.9-1. Request was from Steven Chamberlain <steven@pyro.eu.org> to control@bugs.debian.org. (Wed, 07 Nov 2012 22:00:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:19:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.