lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43D5F560.9090403@isecauditors.com>
Date: Tue, 24 Jan 2006 10:37:36 +0100
From: ISecAuditors Security Advisories <advisories@...cauditors.com>
To: bugtraq@...urityfocus.com
Subject: [ISecAuditors Advisories] Arbitrary flash code remote execution in
 123flashchat


=============================================
INTERNET SECURITY AUDITORS ALERT 2006-003
- Original release date: January 12, 2006
- Last revised: January 23, 2006
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================

I. VULNERABILITY
-------------------------
Arbitrary flash code remote execution in 123flashchat.
Admin account scalation.


II. BACKGROUND
-------------------------
123 Flash Chat is a full featured java chat server and flash chat
client, the product homepage is www.123flashchat.com and it is
possible to test it at:

http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf


III. DESCRIPTION
-------------------------
The flash chat client uses too much the eval sentence, in most of
cases there is vulnerable becouse there is included variables in the
eval, and users can change the value of them.

If we can write in a eval, we can inject code, if our user name has
the character ; we could write code inside the client.

If its possible to write code, a cracker can convet his user to an
admin by changing his variables. Is possible to inject to other
clients too.

let's see the vulnerable code:

function openOneAVWindow(username) {
	var i = 0;
	if (i < roomUsers.length)    {
		var user = roomUsers[i];
		if (user.name == username)
		{
			if (eval("_root.avmc_" + user.name) == "")


if our username is:
      x;user.name= a;user.name=ADMIN_AVATAR_NAME;//

the eval will be:
      eval("_root.avmc_a;user.name=ADMIN_AVATAR_NAME;//");


and this will be executed when a window is opened:
user.name=ADMIN_AVATAR_NAME;

Is not possible a username with the " character, then is possible to
use the ADMIN_AVATAR_NAME constat wich value is "admin".


IV. PROOF OF CONCEPT
-------------------------
We have not exploited sucsessfuly, but there is the vulnerability.


V. BUSINESS IMPACT
-------------------------
 -


VI. SYSTEMS AFFECTED
-------------------------
This vulnerability affects the 123flaschat server up to 5.1
(released on Dec 22, 2005)


VII. SOLUTION
-------------------------
No patch available yet.

VIII. REFERENCES
-------------------------
 -

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos=at=isecauditors=dot=com).


X. REVISION HISTORY
-------------------------
January 13, 2006: Initial release.
Jaunary 23, 2006: Update the Vendor response.

XI. DISCLOSURE TIMELINE
-------------------------
January 04, 2006    The vulnerability discovered by Internet Security
Auditors.
January 13, 2006    Initial vendor notification sent.
January 23, 2006    Vendor confirm that this is corrected in v5.1_2 i

XII. LEGAL NOTICES
-------------------------
-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ