Update: Realchat user impersonation - BSA 200506110001
Bedatec Security Advisory 200506110001
--------------------------------------
Update release 2005-09-04 - PoC code released
Added workaround for /me bug
Updated sections marked with "##"
Discovered : 2005-06-06
Vendor notified : 2005-06-11
Release date : 2005-06-23
PoC release : around 2005-07-23
Author : Andreas Beck <becka-sav@xxxxxxxxxx>
Application : Realchat
Severity : Insecure logon handling allows to impersonate any user
Insecure logon handling allows efficient Spambots.
Strange semantics of the /me command may cause minor
privacy breach.
Risk : Medium (no extra privileges gained, but other users may
be deceived about the identity)
Vendor : http://www.realchat.com/
Vendor status : Vendor notified
Vendor statement : Missing feature. Will be rectified by a release that has
a server side user database.
Affected Versions: At least Version 3.5.1b is affected.
CVE reference : none.
Overview:
---------
Realchat is a popular Java-Client based Chat Software used in quite some
Web communities.
Its logon-Protocol is completely unauthenticated, allowing to impersonate
any user. It is not yet clear, if it could also be exploited to gaining
administrative privileges. According to some webdesigners using the chat,
admin privileges are secured using a password mechanism. However it is
unclear how effective it is.
On a sidenote, using the "/me" command in a private chat session causes
the Text to appear in the main Chatroom, possibly giving away private
information.
Details:
--------
While designing an alternate chat client (the Java client is far too
heavyweight for me), I discovered, that the protocol doesn't seem to
have any authentication.
By modifying the custom chat client to send another username, it was
possible to log on as any user.
However this kind of spoofing is often rather easy to spot, if we are
dealing with administrative accounts, as Realchat uses avatars in its
userlist, which usually differ for admins.
However this is as well easily spoofed, as the number of the avatar
is spoofable in the same way.
Proof of concept/How to reproduce:
----------------------------------
Method 1)
Capture the start of a Chat session.
Replay it, but replace the Username with one of the same length.
Same for the avatar number.
Details on how to do further changes (other length usernames, etc)
in the PoC-Code.
Method 2)
Use a suitable Proxy to modify the page that sets up the chat window or
save it locally and modify it.
PoC Code:
---------
We have a simple working Chatclient that allows to use any username (even
very long names) and any avatar as well as any smiley as an avatar.
There is no support for changing rooms or starting private chat sessions
yet.
PoC code has been withheld for about three months now to allow webmasters
using the chat to take proper precautions, if they think the threat is
worth to bother.
### Update - 2005-09-04:
##
## PoC Code is available via
##
## http://www.bedatec.de/download/security/realchat_PoC.tgz
##
## Please note, that it is very simple and maybe it is even vulnerable
## to some reverse attack. Caveat emptor. I just wrote it to prove the
## feasibility of the attack.
##
## PoC for Method 2)
##
## The chat is started by a page similar to this one:
##
## <applet
## archive =" RealChat.jar"
## codebase =" ."
## code =" rcs.client.RealChatClient.class"
## name =" ChatClient"
## width =" 100%"
## height =" 100%"
## align =" top"
## alt =" Something"
## MAYSCRIPT>
## <param name="nick" value="yournick">
## <param name="externalProfileURL" value="http://some.page.com/user/_USER_">
## <param name="avatarIcon" value="4">
##
## Obviously you only need to modify that page accordingly. There is nothing
## to protect the login data.
##
## However it is a little tricky, due to the Java security model (just saving
## the page locally won't suffice, as this will disallow connecting to the
## chatserver), but a suitable proxy will do the trick.
##
### End update
Vendor Response:
----------------
2005-06-11 -> Realchat notified via EMail
2005-06-13 <- Realchat staff got back to me stating this is a missing
feature and that the /me hole was fixed.
2005-06-13 -> Suggested a simple HMAC-like scheme that would require
sniffing another users session to impersonate him.
2005-06-17 <- Realchat say they will try to implement it until they have a
server based authentication.
Recommendations:
----------------
None yet. The problem must be solved in the chat software. Only disabling
the chat would be a viable workaround.
Don't use /me from private chat windows.
## You can use ":" instead, which works correctly.
Kind regards,
Andreas Beck
--
Andreas Beck
http://www.bedatec.de/