New Bug KESM in GoogleTalk
Hi!! My name is Nataly Lopez, I'm a 17 years old girl living in Venezuela; I
have always loved computer security because that's also my father's work.
Well, the reason for me to post this is for telling you about a bug in Google
Talk I discovered with my friend chris77 (#velug @ irc.freenode.net) this
afternoon.
Google Talk's excellent features allow the user to know when contacts send
mails without configuring any passports, etc., well, you know that. What's
really funny is: one can generate remote errors in the users' systems connected
to Google Talk, and thus creating a kind of DoS. So Google Talk stops working
if it has email notification enabled: it suffices to type this command in a
Linux shell (nail must be installed of course):
echo kill | nail -s Kill -r "" victim@xxxxxxxxx
This instruction is quite simple, and will send an email to the user being
connected to Google Talk from a certain "unknown sender", and as you can see,
GoogleTalk Windows client cannot notify <> is sending an email. Therefore, an
error windows appears on screen:
[ Google Talk encountered an internal error, and must now close. Ok to report
this error to Google? ]
[Yes] [No]
We called this bug KESM, which stands for "Killer Empty Sender Message" :) and
one can easily implement it into a loop, keeping the victim busy clicking on
the YES button and resetting his connection to Google Talk.
That's all for now folks :-)