The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

Multiple Cyan Chat Exploits


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 2 Aug 2002 15:31:47 -0700
From: chip <chip@force-elite.com>
To: bugtraq <bugtraq@securityfocus.com>
Subject: Multiple Cyan Chat Exploits

+ Summary +
Several exploits allow users to conduct flooding of other users and create client 
connections that are not visible to other users connected.  These vulnerabilities 
can create havoc in an, otherwise, friendly chat environment.

+ About Cyan Chat +
Cyan Chat (CC) is a simple chat protocol developed by Cyan 
[http://www.cyan.com] for use of its fans.  It uses the TCP port 1812 for 
communication. A page describing the protocol is located at: 
http://cho.cyan.com/chat/protocol1.html

The Java Client, that has, traditionally, been the most common means of access, 
is located at: http://cho.cyan.com/chat/standard/chat.html

The main CC web site can be found at: http://cho.cyan.com/chat/

+ Vendor Contact +
Cyan was contacted on this matter on Sunday July 28th.
They have informed me of their intention to patch these bugs.


+ Quit Flood Exploit +
Use Telnet to connect to the sever on TCP port 1812 and repeatedly send "15\n."
This will flood the chat room with messages from a non-existent user-name 
quitting (appears to be the client connection number).  It is possible to flood the
server, disabling other users to chat.
Users can, also, use the Java client and repeatedly click on the "join/quit" button 
to produce a similar affect, but the user-name submitted would be visible.

+ Invisible Character Exploit +
The normal chat Java chat client renders the haxadecimal number 0xA0 
(decimal 160) as a space. This allows it to appear that there are two users 
connected with the same name.  A user named, "The World," and,  "The\160World,"  
would both appear to be the same user, to other users.  It is impossible to tell which 
user is talking in the chat room.  This same exploit has been, previously, used to 
flood an user or the entire chat room with this single character repeating; to, in 
affect, "clear" the screens of all connected users.

+ Invisible User Exploit +
Connect to CC using Telnet.  Login and send either "11\n" "21\n" "31\n" or
"35\n".  The user-name you logged in will no longer be sent out by the server in 
its user list update.  The client using this will, also, no longer receive the contents 
of what other users are saying in the chat room.  The client can now send message 
commands, but their user-name is not listed as online.  A user can login as under 
their normal name, and, if a previously made invisible client is already connected 
and has logged in as that name, it can appear to talk as that user.  An example 
(Win32 client) that automates this, which was
written by Kyle Devies [kdevies@neo.rr.com], is available at:
http://force-elite.com/~chip/cc-ml-1.0.exe

+ Solutions +
Cyan's Chat server is a closed source program without any binaries available for 
download. A server, which was written by Paul Querna [chip@force-elite.com], 
that implements the CC protocol and is not vulnerable to these exploits is located 
at: http://mhs.mead.k12.wa.us/~chip/chat/


+ Credit +
Combined work of:
Paul Querna - chip - chip@force-elite.com
Matt Witkowski - The World - MJW2286@hotmail.com
Matt Wallace - Carrad - carrad_of_dni@yahoo.com
Kyle Devies - Myst Librarian - kdevies@neo.rr.com


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList