Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Wed, 9 Sep 1998 16:19:28 -0700  
From: Jon Beaton <jon@OCOL.COM>  
Subject: bug in iChat 3.0 (maybe others)  
The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on  
port 4080 as default. From what I've noticed, it just uses http, and has  
a bug which lets following /../../../ be ran on the URL using any web  
browser. For example, something like:  
will display the passwd file. With this you can view any file on the  
system that 'nobody' has access to. I was only able to test this on  
version 3.0 of the software, and running on Solaris. I contacted the  
company about this, all they said was that if you're using 3.0, you  
should upgrade to 3.03 as soon as possible. I don't even know if this  
particular bug is fixed in that version. If you can try this on other  
versions and OS's, I'd like to hear about the results.  
Jon Beaton  
jbx @ Undernet  
Date: Thu, 10 Sep 1998 09:56:43 +0200  
From: Renzo Toma <renzo@VERONICA.NL>  
Subject: Re: bug in iChat 3.0 (maybe others)  
the host:4080/../../../etc/passwd bug has been fixed in 3.03 (checked for  
the solaris 2.5 version)  
Date: Thu, 10 Sep 1998 09:51:42 -0400  
From: Steve Kann <stevek@STEVEK.COM>  
Subject: Re: bug in iChat 3.0 (maybe others)  
They (ichat) know about this problem, and have fixed it in versions  
greater than 3.00. It's a pretty stupid problem to have in the first  
place, though.  
What really irked me about this when I found out about it was this:  
1) I found out about it as it was being exploited by an I-chat technical  
support representative, who was using it to read certain configuration  
files on my machine. He wasn't necessarily being malicious, but he  
_was_ accessing files on my machine, using a security flaw in their  
software, without my consent. Not exactly an experience that gives one  
a "warm/fuzzy feeling".  
2) They released a version 3.00 for linux, but did not release a fixed  
version for linux. So, users running it on linux were forced to either  
stop using it altogether, or live with the problem. The third  
possibility, running it in a protected chrooted environment, is what I  
chose for the period of time that I needed to continue running the  
software. I figured that if they had this kind of bug, who knows how  
many exploitable buffer overflows there are.  
Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502  
Personal:stevek@SteveK.COM Business:stevek@HorizonLive.com (212) 533-1775  
Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi  
Pertanto, non mandatemi alcuna informazione a riguardo.