lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050723141523.GA1445@uni-duesseldorf.de>
Date: Sat, 23 Jul 2005 16:15:23 +0200
From: Andreas Beck <becka-list-bugtraq@...atec.de>
To: bugtraq@...urityfocus.com
Subject: Realchat user impersonation - BSA 200506110001


Bedatec Security Advisory 200506110001
--------------------------------------

Discovered       : 2005-06-06
Vendor notified  : 2005-06-11
Release date     : 2005-06-23
PoC release      : around 2005-07-23
Author           : Andreas Beck <becka-sav@...atec.de>
Application      : Realchat 
Severity         : Insecure logon handling allows to impersonate any user
                   Insecure logon handling allows efficient Spambots.
                   Strange semantics of the /me command may cause minor
                   privacy breach.
Risk             : Medium (no extra privileges gained, but other users may
                   be deceived about the identity)
Vendor           : http://www.realchat.com/
Vendor status    : Vendor notified
Vendor statement : Missing feature. Will be rectified by a release that has
                   a server side user database.
Affected Versions: At least Version 3.5.1b is affected.
CVE reference    : none.


Overview:
---------

Realchat is a popular Java-Client based Chat Software used in quite some
Web communities.

Its logon-Protocol is completely unauthenticated, allowing to impersonate
any user. It is not yet clear, if it could also be exploited to gaining
administrative privileges. According to some webdesigners using the chat,
admin privileges are secured using a password mechanism. However it is
unclear how effective it is.

On a sidenote, using the "/me" command in a private chat session causes 
the Text to appear in the main Chatroom, possibly giving away private 
information.


Details:
--------

While designing an alternate chat client (the Java client is far too
heavyweight for me), I discovered, that the protocol doesn't seem to 
have any authentication.

By modifying the custom chat client to send another username, it was
possible to log on as any user.

However this kind of spoofing is often rather easy to spot, if we are
dealing with administrative accounts, as Realchat uses avatars in its 
userlist, which usually differ for admins.

However this is as well easily spoofed, as the number of the avatar
is spoofable in the same way.


Proof of concept/How to reproduce:
----------------------------------

Method 1) 

Capture the start of a Chat session.
Replay it, but replace the Username with one of the same length.
Same for the avatar number.

Details on how to do further changes (other length usernames, etc)
in the PoC-Code.


Method 2)

Use a suitable Proxy to modify the page that sets up the chat window or
save it locally and modify it. 

PoC Code:
---------

We have a simple working Chatclient that allows to use any username (even
very long names) and any avatar as well as any smiley as an avatar.
There is no support for changing rooms or starting private chat sessions
yet.

PoC code will be withheld for another month to allow webmasters using the
chat to take proper precautions, if they think the threat is worth to 
bother.


Vendor Response:
----------------

2005-06-11 -> Realchat notified via EMail
2005-06-13 <- Realchat staff got back to me stating this is a missing
              feature and that the /me hole was fixed.
2005-06-13 -> Suggested a simple HMAC-like scheme that would require
              sniffing another users session to impersonate him.
2005-06-17 <- Realchat say they will try to implement it until they have a 
              server based authentication.


Recommendations:
----------------

None yet. The problem must be solved in the chat software. Only disabling
the chat would be a viable workaround.

Don't use /me from private chat windows.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ