CVE-2002-0741

An unauthenticated remote attacker can send a PASS command with a very long password argument to the psyBNC server. Immediately after sending the command, the attacker quickly kills the connection. This triggers a vulnerability where the server does not properly terminate the connection, leading to CPU consumption and resource exhaustion [ref_id=1]. The vulnerability affects versions psyBNC 2.3, 2.2.1, and 2.1.1 [ref_id=1].

The vulnerability is related to the handling of the PASS command and subsequent connection termination. The reference write-up indicates that psyBNC versions up to and including 2.3 are affected [ref_id=1]. Specifically, the issue arises when the server fails to properly terminate a connection after receiving a long password argument and the client quickly disconnects.

The advisory does not provide information about a patch or specific remediation steps. However, it implies that the issue stems from improper connection termination after the attack. The vendor or security community would need to implement logic to ensure connections are fully closed and resources are released even when the client disconnects abruptly after sending a malformed or oversized command.

The provided exploit code demonstrates how to trigger the vulnerability by sending a large password and then closing the connection. The code includes options to specify the target, port, password size, and number of times to send the DoS payload [ref_id=1].