Donato Ferrante Application: Free Web Chat http://sourceforge.net/projects/freewebchat/ Version: Initial Release Bugs: Multiple Vulnerabilities Date: 04-Aug-2004 Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bugs 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "Free Web Chat is a chat applet designed to be used in a browser. It consists of a server and a client applet. You can have multiple rooms and unlimited user. You can also private message individuals. Right now the administration aspect is farily minimal, but soon you will have a robust administration gui to go along with the server as well as the ability to connect as an administrator remotely." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 2. The bugs: ------------- The chat server has two bugs: [1] Denial Of Service The chat server has an unchecked variable (in UserManager.java) that allow users to deny the chat service, in fact we are in presence of a NullPointerException not managed. The NullPointerException is located in the following method of UserManager.java: public void addUser( Socket sock ) { User usr = new User(sock, this); String usrName = usr.getName(); if (usrName != "" ) /* if used to check initialization */ /* it's an error */ { /* wrong method call! */ /* no checks for usrName != null */ if (userHash.containsKey( usrName) ) { usr.rejectUsername(); return; } usr.sendRoomList(rmManager.getRoomList()); (...) } as illustrated above the variable usrName is not checked so it may be also null. Addictionally the method doesn't catch the exception that may be thrown: NullPointerException. [2] Resources Consumption The chat server is unable to properly manage multiple connections from the same user. In fact it will consume a lot of CPU resources. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerabilities: [1] http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip [2] http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. The vendor has not answered to my signalations. If you want you can fix the bug [1] by using my following patch. To fix the bug [1] replace the method: addUser( Socket sock ) in UserManager.java, with the following patched method: public void addUser( Socket sock ) { User usr = new User(sock, this); String usrName = usr.getName(); if (usrName != "" ) { /* start fix */ /* manage NullPointerException */ try{ if (userHash.containsKey( usrName) ) { usr.rejectUsername(); return; } }catch(NullPointerException npe){ usr.rejectUsername(); return; } /* end fix */ usr.sendRoomList(rmManager.getRoomList()); userHash.put( usr.getName(), usr ); rmManager.getDefaultRoom().addUser( usr ); //start the reciever thread Thread t = new Thread(usr); t.start(); } } xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx