Product:        Gadu-Gadu,
                all available versions including the latest (6.1 build156)
Vendor:         SMS-EXPRESS.COM (http://www.gadu-gadu.pl)
Impact:         Remote Denial of Service
Severity:       Important
Author:         Maciej Soltysiak <maciej@soltysiak.com>
Advisory:       http://www.soltysiak.com/gg-dos.txt


[ISSUE]

It is possible to remotely conduct a DoS attack on a Gadu-Gadu client by
sending special crafted messages several times. The application hangs in
most cases and all is left is to kill the process.
This is propably due to the way the program displays the images.


[DETAILS]

By sending simple messages to the client that contain a huge amount of well
known strings that are converted to images (ie. "!!" converted to an
animating exclamation mark or "<glaszcze>" converted to an animated
emoticon) one is able to cause Gadu-Gadu to hang and the user to kill the
program.

As long as the attacker's uin is not on the victim's blocked list the
attacker is free to expoit the vulnerability. This means that creating
new users just to wreck havoc among Gadu-Gadu users would be very
effective.

[POC]

The C proof of concept code is available at http://www.soltysiak.com/ggkill.c

[ADVISORY]

There is little that users can do about this remote DoS. It is not required
for the attacker to be in the victim's contact list, no other options limit
the functionality that causes this DoS (like dcc, image size, proxys)

Until the vendor releases a fixed version I recommend the users enable the
option that lets us not to show messages from users outside our contact
list. This option is called "Nie pokazuj wiadomosci od nieznajomych" and
is available in a couple of latest versions of Gadu-Gadu 6

This way if we do not know the attacker, we are safe, the messages will
be blocked.

[SUMMARY]

Vendor has been informed about these bugs.
Have a nice day.

        Copyright 2004, Maciej Soltysiak. All rights reserved.