lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080206205009.0824e4ac.aluigi@autistici.org>
Date: Wed, 6 Feb 2008 20:50:09 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Chat vulnerabilities in TinTin++ 1.97.9


#######################################################################

                             Luigi Auriemma

Application:  TinTin++ / WinTin++
              http://tintin.sourceforge.net
Versions:     <= 1.97.9
Platforms:    Windows, Linux and Mac
Bugs:         A] chat buffer-overflow
              B] chat YES NULL pointer
              C] chat home folder empty files creation
Exploitation: remote
Date:         06 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


TinTin++ is a well known MUD client.


#######################################################################

=======
2) Bugs
=======


The #chat command available in TinTin++ binds a TCP port (4050 by
default) used to receive chat messages and files from the other
clients.


-----------------------
A] chat buffer-overflow
-----------------------

Exists a buffer-overflow vulnerability in add_line_buffer() where
word_wrap() makes the input string double due to conversion of line
feeds in CR/LF.
The way I have found to exploit this vulnerability is through the
chat_printf() function used for building of the
"Unterminated command: %d %s" string when the program receives data
without a 0xff delimiter.

TinTin++ handles the data received through read/recv (max 19000
chars) directly without waiting the entire data block as it was sent,
anyway the vulnerability has been successfully tested and confirmed on
Internet too.


------------------------
B] chat YES NULL pointer
------------------------

The presence of the line feed char in the "YES:" message is not
verified allowing an attacker to crash the TinTin++ program due to the
resulted NULL pointer.

>From chat.c:

int process_chat_input(struct chat_data *buddy)
...
            sep = strchr(buf, '\n');

            *sep++ = 0;
            ...


----------------------------------------
C] chat home folder empty files creation
----------------------------------------

TinTin++ can receive files from other people in the incoming folder
which by default is the home one (~ on Unix and %USERPROFILE% in
Windows) but naturally is needed that the user accepts the file for
receiving it.

The problem is that the file specified by the sender is created before
accepting or declining it so is possible for an attacker to overwrite
the existent files (subdirectories cannot be specified) with empty
ones.
For example is possible to clear the configuration files like .bashrc
or .inputrc or ntuser.ini and so on.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/rintintin.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ