ID PACKETSTORM:67109 Type packetstorm Reporter Michael Gray Modified 2008-06-09T00:00:00
Description
`Name: Michael Gray
Website: www.ownerarium.net
Contact: moose@ownerarium.net
Discovered Exploit: 06-05-2008
Vulnerable Software Title: GSC
Vulnerable Version: <= 2067
Severity: CRITICAL
Website: http://www.getgsc.com
Reported to vendor: Yes
Actively exploited: Yes
Exploit Discovery
------------------
I was analyzing packets for an application of my own to figure out an
issue with my own protocol when I noticed I was receiving packets that
looked similar to that of IRC, so I decided to take a break from my own
project and figure out what application it was. I noticed it was the
voice communication and chat program called GSC. Since I was bored I
figured I would poke around at some of these packets.
First I logged on to my own channel as an administrator and kicked a
friend of mine from the chat channel while recording packets. After
capturing that packet I sent him an application to send raw packets over
a specific socket and told him to send that to the server while he did
not have administrator rights. Immediately after sending the packet he
was disconnected from the channel because he was kicked. We discovered
that the administration system's authentication is done completely
client side and the server only sends a message to the client saying if
the client has administrator rights to the channel, but the server
doesn't check these rights if any administrator command is received.
The Exploit
------------
1.) Log on to GSC with a valid user account
2.) Join your own channel
3.) Record packets that are sent/received to/from GSC
4.) Kick a kind friend from your channel
5.) Stop capturing packets
6.) Modify this packet to reflect who you want to kick
The packet for kicking a user looks something like this:
NOTICE <user> :KICK <channel id> :<kick message>
The user is the name of the user
The channel ID is the same number used in a gsc://join:1 link
The kick message is a string <= 15 characters
Software Implementation
------------------------
Write a program that simply requests you to type in a user, a channel
ID, and a kick message. Format the text to reflect the above example for
the way the kick command is and encode it using UTF-8. Append the packet
with 0x0A to show where the end of the command is. Hook your application
to GSC and determine the socket ID of it's current connection and
forward your packet through it's socket to the server.
Additional Information
-----------------------
The above information may be adapted to fit any administrator command
including those used to completely kick and ban users from GSC as a
whole, rather than just in a single channel. As is currently happening,
users will use social engineering to get users to give out account
information and personal information by impersonating a GSC staff member
and claiming they will shut down the channel unless this information is
released.
A C# implementation of the way packets are constructed and how to
properly format them can be found here: http://pastebin.se/194837 or can
be received by requesting it via email from moose@ownerarium.net
`
{"sourceHref": "https://packetstormsecurity.com/files/download/67109/gsc-kick.txt", "sourceData": "`Name: Michael Gray \nWebsite: www.ownerarium.net \nContact: moose@ownerarium.net \nDiscovered Exploit: 06-05-2008 \n \nVulnerable Software Title: GSC \nVulnerable Version: <= 2067 \nSeverity: CRITICAL \nWebsite: http://www.getgsc.com \nReported to vendor: Yes \nActively exploited: Yes \n \nExploit Discovery \n------------------ \n \nI was analyzing packets for an application of my own to figure out an \nissue with my own protocol when I noticed I was receiving packets that \nlooked similar to that of IRC, so I decided to take a break from my own \nproject and figure out what application it was. I noticed it was the \nvoice communication and chat program called GSC. Since I was bored I \nfigured I would poke around at some of these packets. \n \nFirst I logged on to my own channel as an administrator and kicked a \nfriend of mine from the chat channel while recording packets. After \ncapturing that packet I sent him an application to send raw packets over \na specific socket and told him to send that to the server while he did \nnot have administrator rights. Immediately after sending the packet he \nwas disconnected from the channel because he was kicked. We discovered \nthat the administration system's authentication is done completely \nclient side and the server only sends a message to the client saying if \nthe client has administrator rights to the channel, but the server \ndoesn't check these rights if any administrator command is received. \n \nThe Exploit \n------------ \n \n1.) Log on to GSC with a valid user account \n2.) Join your own channel \n3.) Record packets that are sent/received to/from GSC \n4.) Kick a kind friend from your channel \n5.) Stop capturing packets \n6.) Modify this packet to reflect who you want to kick \n \nThe packet for kicking a user looks something like this: \n \nNOTICE <user> :KICK <channel id> :<kick message> \n \nThe user is the name of the user \nThe channel ID is the same number used in a gsc://join:1 link \nThe kick message is a string <= 15 characters \n \nSoftware Implementation \n------------------------ \n \nWrite a program that simply requests you to type in a user, a channel \nID, and a kick message. Format the text to reflect the above example for \nthe way the kick command is and encode it using UTF-8. Append the packet \nwith 0x0A to show where the end of the command is. Hook your application \nto GSC and determine the socket ID of it's current connection and \nforward your packet through it's socket to the server. \n \nAdditional Information \n----------------------- \n \nThe above information may be adapted to fit any administrator command \nincluding those used to completely kick and ban users from GSC as a \nwhole, rather than just in a single channel. As is currently happening, \nusers will use social engineering to get users to give out account \ninformation and personal information by impersonating a GSC staff member \nand claiming they will shut down the channel unless this information is \nreleased. \n \nA C# implementation of the way packets are constructed and how to \nproperly format them can be found here: http://pastebin.se/194837 or can \nbe received by requesting it via email from moose@ownerarium.net \n \n`\n", "edition": 1, "references": [], "modified": "2008-06-09T00:00:00", "hash": "548f4ebebed99cfd217f917532239df051561735de9cf92ca8f26e75328cb662", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/67109/gsc-kick.txt.html", "description": "", "id": "PACKETSTORM:67109", "reporter": "Michael Gray", "lastseen": "2016-11-03T10:15:55", "published": "2008-06-09T00:00:00", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:15:55"}, "vulnersScore": 5.0}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "gsc-kick.txt", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "eb3d50dfe9f6414acdadced0b81e3d74", "key": "href"}, {"hash": "9cff6a9ba25b9dbc0405946db1b22c53", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cff6a9ba25b9dbc0405946db1b22c53", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2ab357622aad41a386156d0d19cc01cd", "key": "reporter"}, {"hash": "07ea350b79587067ce9bd9976a0f8ab1", "key": "sourceData"}, {"hash": "0c6f38b99d2d86f23472ee9bd633a561", "key": "sourceHref"}, {"hash": "028658f79f3190c07d7f5a8e7decf725", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}
