<<< Date Index >>>     <<< Thread Index >>>

Update: Realchat user impersonation - BSA 200506110001

Bedatec Security Advisory 200506110001
--------------------------------------

Update release 2005-09-04 - PoC code released 
                            Added workaround for /me bug
                            Updated sections marked with "##"

Discovered       : 2005-06-06
Vendor notified  : 2005-06-11
Release date     : 2005-06-23
PoC release      : around 2005-07-23
Author           : Andreas Beck <becka-sav@xxxxxxxxxx>
Application      : Realchat 
Severity         : Insecure logon handling allows to impersonate any user
                   Insecure logon handling allows efficient Spambots.
                   Strange semantics of the /me command may cause minor
                   privacy breach.
Risk             : Medium (no extra privileges gained, but other users may
                   be deceived about the identity)
Vendor           : http://www.realchat.com/
Vendor status    : Vendor notified
Vendor statement : Missing feature. Will be rectified by a release that has
                   a server side user database.
Affected Versions: At least Version 3.5.1b is affected.
CVE reference    : none.


Overview:
---------

Realchat is a popular Java-Client based Chat Software used in quite some
Web communities.

Its logon-Protocol is completely unauthenticated, allowing to impersonate
any user. It is not yet clear, if it could also be exploited to gaining
administrative privileges. According to some webdesigners using the chat,
admin privileges are secured using a password mechanism. However it is
unclear how effective it is.

On a sidenote, using the "/me" command in a private chat session causes 
the Text to appear in the main Chatroom, possibly giving away private 
information.


Details:
--------

While designing an alternate chat client (the Java client is far too
heavyweight for me), I discovered, that the protocol doesn't seem to 
have any authentication.

By modifying the custom chat client to send another username, it was
possible to log on as any user.

However this kind of spoofing is often rather easy to spot, if we are
dealing with administrative accounts, as Realchat uses avatars in its 
userlist, which usually differ for admins.

However this is as well easily spoofed, as the number of the avatar
is spoofable in the same way.


Proof of concept/How to reproduce:
----------------------------------

Method 1) 

Capture the start of a Chat session.
Replay it, but replace the Username with one of the same length.
Same for the avatar number.

Details on how to do further changes (other length usernames, etc)
in the PoC-Code.


Method 2)

Use a suitable Proxy to modify the page that sets up the chat window or
save it locally and modify it. 

PoC Code:
---------

We have a simple working Chatclient that allows to use any username (even
very long names) and any avatar as well as any smiley as an avatar.
There is no support for changing rooms or starting private chat sessions
yet.

PoC code has been withheld for about three months now to allow webmasters 
using the chat to take proper precautions, if they think the threat is 
worth to bother.

### Update - 2005-09-04:
##
## PoC Code is available via 
##
## http://www.bedatec.de/download/security/realchat_PoC.tgz
##
## Please note, that it is very simple and maybe it is even vulnerable 
## to some reverse attack. Caveat emptor. I just wrote it to prove the
## feasibility of the attack.
##
## PoC for Method 2)
## 
## The chat is started by a page similar to this one:
## 
## <applet
##   archive =" RealChat.jar"
##   codebase =" ."
##   code     =" rcs.client.RealChatClient.class"
##   name     =" ChatClient"
##   width    =" 100%"
##   height   =" 100%"
##   align    =" top"
##   alt      =" Something"
##   MAYSCRIPT>
##   <param name="nick" value="yournick">
##   <param name="externalProfileURL" value="http://some.page.com/user/_USER_";>
##   <param name="avatarIcon" value="4"> 
## 
## Obviously you only need to modify that page accordingly. There is nothing
## to protect the login data. 
## 
## However it is a little tricky, due to the Java security model (just saving
## the page locally won't suffice, as this will disallow connecting to the 
## chatserver), but a suitable proxy will do the trick.
##
### End update

Vendor Response:
----------------

2005-06-11 -> Realchat notified via EMail
2005-06-13 <- Realchat staff got back to me stating this is a missing
              feature and that the /me hole was fixed.
2005-06-13 -> Suggested a simple HMAC-like scheme that would require
              sniffing another users session to impersonate him.
2005-06-17 <- Realchat say they will try to implement it until they have a 
              server based authentication.

Recommendations:
----------------

None yet. The problem must be solved in the chat software. Only disabling
the chat would be a viable workaround.

Don't use /me from private chat windows. 
## You can use ":" instead, which works correctly.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/