[Full-Disclosure] Multiple Vulnerabilities in Free Web Chat

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 08/04/04

  • Next message: Forbes, Robert: "RE: [Full-Disclosure] Tipping Point IPS systems"
    To: <full-disclosure@lists.netsys.com>
    Date: Wed, 4 Aug 2004 11:57:50 -0000
    
    

                               Donato Ferrante

    Application: Free Web Chat
                  http://sourceforge.net/projects/freewebchat/

    Version: Initial Release

    Bugs: Multiple Vulnerabilities

    Date: 04-Aug-2004

    Author: Donato Ferrante
                  e-mail: fdonato@autistici.org
                  web: www.autistici.org/fdonato

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    1. Description
    2. The bugs
    3. The code
    4. The fix

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------
    1. Description:
    ----------------

    Vendor's Description:

    "Free Web Chat is a chat applet designed to be used in a browser.
    It consists of a server and a client applet. You can have multiple
    rooms and unlimited user. You can also private message individuals.
    Right now the administration aspect is farily minimal, but soon you
    will have a robust administration gui to go along with the server
    as well as the ability to connect as an administrator remotely."

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    2. The bugs:
    -------------

    The chat server has two bugs:

    [1] Denial Of Service

    The chat server has an unchecked variable (in UserManager.java) that
    allow users to deny the chat service, in fact we are in presence of
    a NullPointerException not managed.

    The NullPointerException is located in the following method of
    UserManager.java:

          public void addUser( Socket sock )
          {
                User usr = new User(sock, this);
                String usrName = usr.getName();
                if (usrName != "" ) /* if used to check initialization */
                                    /* it's an error */
                {
                      /* wrong method call! */
                      /* no checks for usrName != null */
                      if (userHash.containsKey( usrName) )
                      {
                            usr.rejectUsername();
                            return;
                      }

                      usr.sendRoomList(rmManager.getRoomList());
                      
                (...)
         }

    as illustrated above the variable usrName is not checked so it may be
    also null. Addictionally the method doesn't catch the exception that
    may be thrown: NullPointerException.

    [2] Resources Consumption

    The chat server is unable to properly manage multiple connections
    from the same user. In fact it will consume a lot of CPU resources.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    3. The code:
    -------------

    To test the vulnerabilities:

    [1]

       http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip

    [2]

       http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    4. The fix:
    ------------

    No fix.
    The vendor has not answered to my signalations.

    If you want you can fix the bug [1] by using my following patch.
    To fix the bug [1] replace the method: addUser( Socket sock )
    in UserManager.java, with the following patched method:

          public void addUser( Socket sock )
          {
                User usr = new User(sock, this);
                String usrName = usr.getName();
                if (usrName != "" )
                {
                            
                      /* start fix */
                      /* manage NullPointerException */
                      try{
                                    
                            if (userHash.containsKey( usrName) )
                            {
                                  usr.rejectUsername();
                                  return;
                            }

                      }catch(NullPointerException npe){
                            usr.rejectUsername();
                            return;
                      }
                     /* end fix */

                      usr.sendRoomList(rmManager.getRoomList());
                      userHash.put( usr.getName(), usr );
                      rmManager.getDefaultRoom().addUser( usr );

                      //start the reciever thread
                      Thread t = new Thread(usr);
                      t.start();
               }
            
          }

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Forbes, Robert: "RE: [Full-Disclosure] Tipping Point IPS systems"

    Relevant Pages