Multiple Vulnerabilities in Free Web Chat

                       Donato Ferrante

Application: Free Web Chat
http://sourceforge.net/projects/freewebchat/

Version: Initial Release

Bugs: Multiple Vulnerabilities

Date: 04-Aug-2004

Author: Donato Ferrante
e-mail: [email protected]
web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---

1. Description:

---

Vendor's Description:

"Free Web Chat is a chat applet designed to be used in a browser.
It consists of a server and a client applet. You can have multiple
rooms and unlimited user. You can also private message individuals.
Right now the administration aspect is farily minimal, but soon you
will have a robust administration gui to go along with the server
as well as the ability to connect as an administrator remotely."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---

2. The bugs:

---

The chat server has two bugs:

[1] Denial Of Service

The chat server has an unchecked variable (in UserManager.java) that
allow users to deny the chat service, in fact we are in presence of
a NullPointerException not managed.

The NullPointerException is located in the following method of
UserManager.java:

  public void addUser( Socket sock )
  {
        User usr = new User(sock, this);
        String usrName = usr.getName();
        if (usrName != "" ) /* if used to check initialization */
                            /* it's an error */
        {
              /* wrong method call! */
              /* no checks for usrName != null */
              if (userHash.containsKey( usrName) )
              {
                    usr.rejectUsername();
                    return;
              }

              usr.sendRoomList(rmManager.getRoomList());
              
        (...)
 }

as illustrated above the variable usrName is not checked so it may be
also null. Addictionally the method doesn't catch the exception that
may be thrown: NullPointerException.

[2] Resources Consumption

The chat server is unable to properly manage multiple connections
from the same user. In fact it will consume a lot of CPU resources.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---

3. The code:

---

To test the vulnerabilities:

[1]

http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip

[2]

http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

---

4. The fix:

---

No fix.
The vendor has not answered to my signalations.

If you want you can fix the bug [1] by using my following patch.
To fix the bug [1] replace the method: addUser( Socket sock )
in UserManager.java, with the following patched method:

  public void addUser( Socket sock )
  {
        User usr = new User(sock, this);
        String usrName = usr.getName();
        if (usrName != "" )
        {
                    
              /* start fix */
              /* manage NullPointerException */
              try{
                            
                    if (userHash.containsKey( usrName) )
                    {
                          usr.rejectUsername();
                          return;
                    }

              }catch(NullPointerException npe){
                    usr.rejectUsername();
                    return;
              } 
             /* end fix */

              usr.sendRoomList(rmManager.getRoomList());
              userHash.put( usr.getName(), usr );
              rmManager.getDefaultRoom().addUser( usr );


              //start the reciever thread
              Thread t = new Thread(usr); 
              t.start();
       }
    
  }

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx