exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Dec 31, 2004
Authored by Maciej Soltysiak | Site soltysiak.com

It is possible to remotely conduct a denial of service attack on a Gadu-Gadu client by sending special crafted messages several times. All versions up to 6.1 build 156 are affected.

tags | advisory, denial of service
SHA-256 | 319325bba63d3c3846e86ffd415a85985e53bf73e9be51eb8dbf0c244dca4f6a


Change Mirror Download
Product:        Gadu-Gadu,
all available versions including the latest (6.1 build156)
Vendor: SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact: Remote Denial of Service
Severity: Important
Author: Maciej Soltysiak <maciej@soltysiak.com>
Advisory: http://www.soltysiak.com/gg-dos.txt


It is possible to remotely conduct a DoS attack on a Gadu-Gadu client by
sending special crafted messages several times. The application hangs in
most cases and all is left is to kill the process.
This is propably due to the way the program displays the images.


By sending simple messages to the client that contain a huge amount of well
known strings that are converted to images (ie. "!!" converted to an
animating exclamation mark or "<glaszcze>" converted to an animated
emoticon) one is able to cause Gadu-Gadu to hang and the user to kill the

As long as the attacker's uin is not on the victim's blocked list the
attacker is free to expoit the vulnerability. This means that creating
new users just to wreck havoc among Gadu-Gadu users would be very


The C proof of concept code is available at http://www.soltysiak.com/ggkill.c


There is little that users can do about this remote DoS. It is not required
for the attacker to be in the victim's contact list, no other options limit
the functionality that causes this DoS (like dcc, image size, proxys)

Until the vendor releases a fixed version I recommend the users enable the
option that lets us not to show messages from users outside our contact
list. This option is called "Nie pokazuj wiadomosci od nieznajomych" and
is available in a couple of latest versions of Gadu-Gadu 6

This way if we do not know the attacker, we are safe, the messages will
be blocked.


Vendor has been informed about these bugs.
Have a nice day.

Copyright 2004, Maciej Soltysiak. All rights reserved.

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By