exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

webchat.txt

webchat.txt
Posted Aug 5, 2004
Authored by Donato Ferrante | Site autistici.org

Free Web Chat suffers from both denial of service and resource allocation bugs.

tags | advisory, web, denial of service
SHA-256 | b362a9f9b51a02212145eb681c34e6703a1ce8028a93fa4e37eeca36ea288982

webchat.txt

Change Mirror Download

Donato Ferrante


Application: Free Web Chat
http://sourceforge.net/projects/freewebchat/

Version: Initial Release

Bugs: Multiple Vulnerabilities

Date: 04-Aug-2004

Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Free Web Chat is a chat applet designed to be used in a browser.
It consists of a server and a client applet. You can have multiple
rooms and unlimited user. You can also private message individuals.
Right now the administration aspect is farily minimal, but soon you
will have a robust administration gui to go along with the server
as well as the ability to connect as an administrator remotely."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

The chat server has two bugs:


[1] Denial Of Service

The chat server has an unchecked variable (in UserManager.java) that
allow users to deny the chat service, in fact we are in presence of
a NullPointerException not managed.


The NullPointerException is located in the following method of
UserManager.java:

public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" ) /* if used to check initialization */
/* it's an error */
{
/* wrong method call! */
/* no checks for usrName != null */
if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}

usr.sendRoomList(rmManager.getRoomList());

(...)
}


as illustrated above the variable usrName is not checked so it may be
also null. Addictionally the method doesn't catch the exception that
may be thrown: NullPointerException.



[2] Resources Consumption

The chat server is unable to properly manage multiple connections
from the same user. In fact it will consume a lot of CPU resources.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:


[1]

http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip


[2]

http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not answered to my signalations.


If you want you can fix the bug [1] by using my following patch.
To fix the bug [1] replace the method: addUser( Socket sock )
in UserManager.java, with the following patched method:

public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" )
{

/* start fix */
/* manage NullPointerException */
try{

if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}

}catch(NullPointerException npe){
usr.rejectUsername();
return;
}
/* end fix */

usr.sendRoomList(rmManager.getRoomList());
userHash.put( usr.getName(), usr );
rmManager.getDefaultRoom().addUser( usr );


//start the reciever thread
Thread t = new Thread(usr);
t.start();
}

}





xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close