Multiple vulnerabilities in Ipswitch Instant Messaging 2.0.8.1
#######################################################################
Luigi Auriemma
Application: Ipswitch Instant Messaging
http://www.ipswitch.com/products/instant_messaging
Versions: <= 2.0.8.1
Platforms: Windows
Bugs: A] pre-auth NULL pointer crash in decryption function
B] format string in logging
C] arbitrary empty files creation
Exploitation: remote
A] versus both server and clients
B] versus server
C] versus server
Date: 07 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Ipswitch Instant Messaging (IM) is a client/server messaging software.
#######################################################################
=======
2) Bugs
=======
-----------------------------------------------------
A] pre-auth NULL pointer crash in decryption function
-----------------------------------------------------
IM uses the 3DES encryption with a fixed key ("ipswitch") for
encrypting the network traffic and the only data which is in clear-text
are the first 8 bytes exchanged at the beginning of each connection
which are the version number of the program.
If an attacker uses a version number equal to zero (no encryption?)
will be able to crash the server due to the access to a NULL pointer
during the decryption of the incoming data.
Note that this bug affects both the server and client application so an
attacker can easily crash all the clients in the LAN sending the
malformed data to the port 5178 of each host since this is the default
port on which they listen.
---------------------------
B] format string in logging
---------------------------
The logging function used by IM is affected by a format string
vulnerability.
The way I have found for exploiting this vulnerability is through a
message sent to an user who has a malformed client IP string.
So is possible to do this using two accounts (in my tests sending a
message to himself doesn't seem to work for this bug) or in many other
ways like sending a message to another user which when will reply will
also exploit the vulnerability.
When the server will try to connect to the IP specified by the target
client it will fail since it's not a valid IP (255.255.255.255
INADDR_NONE) and will create an error message similar to the following
subsequently passed directly to sprintf without the needed format
argument:
"Queueing message for username@host. Unexpected Error = 10049, Failed to
connect to client_IP. on port client_port.."
---------------------------------
C] arbitrary empty files creation
---------------------------------
IM creates index files for storing pointers to the entries of its
database in which are stored the messages of the users.
The problem here is that these index files are created in append mode
using the name of the target of the message plus the "@hostname.idx"
suffix (like username@xxxxxxxxxx) without checking if the file has been
created outside the Logs folder.
Actually the only way I have found for writing files with arbitrary
names is through the char ':' appended at the end of the target
username which allows to drop the additional suffix added by the
program.
Anyway, although interesting, this bug can't be defined a real
vulnerability since it's possible to create new files anywhere in the
disk where is installed IM but is not possible to overwrite or append
garbage data (the index data about I talked before) to the existent
ones.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/ipsimene.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org