<<< Date Index >>>     <<< Thread Index >>>

[ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat



=============================================
INTERNET SECURITY AUDITORS ALERT 2006-003
- Original release date: January 12, 2006
- Last revised: January 23, 2006
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================

I. VULNERABILITY
-------------------------
Arbitrary flash code remote execution in 123flashchat.
Admin account scalation.


II. BACKGROUND
-------------------------
123 Flash Chat is a full featured java chat server and flash chat
client, the product homepage is www.123flashchat.com and it is
possible to test it at:

http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf


III. DESCRIPTION
-------------------------
The flash chat client uses too much the eval sentence, in most of
cases there is vulnerable becouse there is included variables in the
eval, and users can change the value of them.

If we can write in a eval, we can inject code, if our user name has
the character ; we could write code inside the client.

If its possible to write code, a cracker can convet his user to an
admin by changing his variables. Is possible to inject to other
clients too.

let's see the vulnerable code:

function openOneAVWindow(username) {
        var i = 0;
        if (i < roomUsers.length)    {
                var user = roomUsers[i];
                if (user.name == username)
                {
                        if (eval("_root.avmc_" + user.name) == "")


if our username is:
      x;user.name= a;user.name=ADMIN_AVATAR_NAME;//

the eval will be:
      eval("_root.avmc_a;user.name=ADMIN_AVATAR_NAME;//");


and this will be executed when a window is opened:
user.name=ADMIN_AVATAR_NAME;

Is not possible a username with the " character, then is possible to
use the ADMIN_AVATAR_NAME constat wich value is "admin".


IV. PROOF OF CONCEPT
-------------------------
We have not exploited sucsessfuly, but there is the vulnerability.


V. BUSINESS IMPACT
-------------------------
 -


VI. SYSTEMS AFFECTED
-------------------------
This vulnerability affects the 123flaschat server up to 5.1
(released on Dec 22, 2005)


VII. SOLUTION
-------------------------
No patch available yet.

VIII. REFERENCES
-------------------------
 -

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos=at=isecauditors=dot=com).


X. REVISION HISTORY
-------------------------
January 13, 2006: Initial release.
Jaunary 23, 2006: Update the Vendor response.

XI. DISCLOSURE TIMELINE
-------------------------
January 04, 2006    The vulnerability discovered by Internet Security
Auditors.
January 13, 2006    Initial vendor notification sent.
January 23, 2006    Vendor confirm that this is corrected in v5.1_2 i

XII. LEGAL NOTICES
-------------------------
-