Re: Yahoo Messenger Stale Sessions

["Tat Wee Kan" <kan () hardware-one com>]

----- Original Message -----
From: <Leonard.Ong () nokia com>
To: <security-basics () securityfocus com>; <incidents () securityfocus com>;
<bugtraq () securityfocus com>
Sent: Monday, November 11, 2002 11:04 AM
Subject: Yahoo Messenger Stale Sessions


> During my observation in daily use of Yahoo Messenger, my computer has
"stale/zombie" sessions.  For example, If i have received/message a friend,
yahoo will normally make a direct connection from my PC to my friend.  From
Netstat result, you can see a high port on my computer is having an
Established session with my peer's:5101 port.
> The issue is, after a contact has gone offline (dial-up), the state
established in the netstat will remain until the next day.  I wouls see this
as a vulnerabilities, since an arbitrary user can assume the IP Address was
used (dial-up->dynamic ip assignment), and use this established session to
assume it.
> Any idea ?

Hmm, I'm not an expert in this, but I do realize if the 4-way handshake for
terminating a connection is not done properly, e.g. the user switched off
his dial-up modem abruptly, it would cause the "stale/zombie" sessions
described as above. The dial-up machine will not have the opportunity to
send the FIN to your machine.

You probably need to know the sequence number, source port, destination port
as well as source IP and destination IP (which you should know).