-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 12.16.02b: http://www.idefense.com/advisory/12.16.02b.txt Melange Chat System Remote Buffer Overflow December 16, 2002 I. BACKGROUND Christian Walter's Melange Chat System is a chat client/server that provides an easy way to set up your own, power full chat. More information is available at http://melange.terminal.at . II. DESCRIPTION Remote exploitation of a buffer overflow in Melange allows an attacker to crash the application and, in some cases, execute arbitrary code. The vulnerable area of code is found within interpret.c, chat_InterpretData(), line 55: sprintf(msgText,"<%d-%d, %s>: %s",mClient[sender].channel,sender,mClient[sender].name,data); The overflow occurs in the msgText buffer. This provides an attacker with control over the frame pointer and the last byte of the instruction pointer. If the instruction pointer can be modified to a "move %ebp, %esp" or a jump to such a move and place the address of arbitrary instructions in to %ebp, access to the system under the privileges of the user running the chat server is possible. The following transcript demonstrates successful exploitation against Melange compiled with GCC 2.95.3 against GLIBC v1.2.9: $ ./chester -t 2 -h -p 6666 [i] Building string . 0x8077d9c as ebptag . 0xbfffdb97 as poptag . 0x78 as iptag . 0 as allign [i] Creating Connection. [0] Sending Normal Nick Change [1] Sending Pop Write [2] Sending Long Nick Change [3] Sending Crash String [i] Trying to trigger shell... Linux vmlinux 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown uid=501(farmer) gid=501(farmer) groups=501(farmer) III. ANALYSIS Remote exploitation of the vulnerability allows an attacker to crash the server. Exploitation can also provide a remote attacker with local access to the target system. This can then be employed to launch privilege escalation attacks. IV. DETECTION Melange Chat System 1.10, when compiled with GCC 2.95.3 against GLIBC v1.2.9, is vulnerable. Use the following steps to determine susceptibility: $ nc localhost 6666 +++Online >> Melange Chat Server (Version 1.10), Apr-25-1999 Welcome ! (Type /HELP for a list of commands) /nick AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> Your new name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (Line 0). AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA [0, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]: AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA>> The administrator shut down the server ! +++Quit If the server shuts down as shown above, then it is vulnerable. V. VENDOR RESPONSE Walter pointed to a message on the main web site that states, "Due to lack of time development on the melange chat system and support had to be abandon. You may go on now, but keep in mind that there was no update for a long time. THERE ARE KNOWN BUGS AND SECURITY CONCERNS, SO USING MELANGE IS ON YOUR OWN RISK!" VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1351 to this issue. VII. DISCLOSURE TIMELINE 10/24/2002 Issue disclosed to iDEFENSE 11/22/2002 Author notified (chris@terminal.at) 11/25/2002 iDEFENSE clients notified 12/01/2002 Second contact attempt with author 12/09/2002 Third contact attempt with author 12/16/2002 Public Disclosure -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPf8s7/rkky7kqW5PEQJE7wCgmb0bnNQCrJ5kwOSuNhmhv+WM6/IAnjkE 92L50F6bhouLsip+5zZItXmN =Ud+L -----END PGP SIGNATURE-----