============================================= INTERNET SECURITY AUDITORS ALERT 2006-001 - Original release date: January 09, 2006 - Last revised: January 13, 2006 - Discovered by: Jesus Olmos Gonzalez - Severity: 4/5 ============================================= I. VULNERABILITY ------------------------- Arbitrary remote file creation in 123flashchat server. II. BACKGROUND ------------------------- 123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at: http://host10.123flaschat.com/123flaschat.swf http://www.123flashchat.com/123flashchat.swf III. DESCRIPTION ------------------------- The chat server has a user-register functionality, that can be enabled by the following sentence: On in /server/etc/groups/default.xml By default it is enabled and anybody can create a chat account. The register form ask the following questions: username, password, repeat-password and email. When a user creates an account, a file is created at members directory: /123flashchat/server/data/default/members/isec-user The user file has the following structure: ^@^B^@^^@^V^@^E or ^@^B^@^^@^V^@^@ allow field size null parse example username 32 no (allow transversal ../) ../room_1.txt password 32 no allow all 123 repeat-pass 32 no allow all 123 email 128 yes /^.+@.+\..+$/aa a@b.c Username field allow anybody to create a file in our system, with same priviledges as the server and almost arbitrary content. This is dangerous becouse, a user can get others account, erase logs, modify the server's /etc/passwd or modify other config files. IV. PROOF OF CONCEPT ------------------------- In the exploitation, there are two factors, WHERE and WHAT. The username vector is WHERE, and WHAT can be: 1) password 2) email address if we need more bytes Possible attacs: ../../../../logs/access.log erase logs. ../../../../logs/error.log erase logs. ../default/logs/access.log erase logs. ../members/parker change parker's password, if now we login with parker user, he will be disconected. ../../../../../../../etc/passwd if server run as root. ../../../../etc/ssh/sshd.conf if server run as root. ../../../../../var/log/messages if server run as root. ../../../../var/www/htdocs/x.php try to build a shell. ../../../etc/groups/default.xml create an admin account by or other config settings. ../../../fcserver.sh try to replace the script. etc. It is possible to replace the existent files, to make a DoS, to erase logs, to create/change system accounts, to get other chat user/admin accounts or to make other effects in server's system. *Possible* remote execution if some config file is modified. Is it possible to hijack and modify the raw command, to inyect line feed (0x0a) or other characters to construct arbitrary content of the created/overwrited file. Example: (0x0a) /etc/passwd will be: \0\2\0\3../../../../../../../etc/passwd\0\3 root::0:0:root:/bin/bash \0\0 If the server is Windows, is it possible to get execution. V. BUSINESS IMPACT ------------------------- The chat service can be crashed or compromissed remotelly. VI. SYSTEMS AFFECTED ------------------------- This vulnerability affects the 123flaschat server up to 5.1 (released on Dec 22, 2005) tested at: 123flaschat server 5.1 123flaschat server 5.0 VII. SOLUTION ------------------------- The vendor released the 5.1_2 version. http://www.123flashchat.com/flash-chat-server-v512.html VIII. REFERENCES ------------------------- - IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos=at=isecauditors=dot=com). X. REVISION HISTORY ------------------------- January 09, 2006: Initial release. January 13, 2006: Vendor response actualization. XI. DISCLOSURE TIMELINE ------------------------- January 04, 2006 The vulnerability discovered by Internet Security Auditors (http://www.isecauditors.com) January 09, 2006 Initial vendor notification sent. January 10, 2006 Quick response, Version 5.1_2 was released. XII. LEGAL NOTICES ------------------------- -