[NEWS] Multiple Cyan Chat Vulnerabilites

From: support@securiteam.com
Date: 08/05/02


From: support@securiteam.com
To: list@securiteam.com
Date: Mon,  5 Aug 2002 17:18:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Cyan Chat Vulnerabilites
------------------------------------------------------------------------

SUMMARY

Cyan Chat (CC) is a simple chat protocol developed by
<http://www.cyan.com> Cyan for use of its fans. It uses the TCP port 1812
for communication. A page describing the protocol is located at:
<http://cho.cyan.com/chat/protocol1.html>
http://cho.cyan.com/chat/protocol1.html. Several exploits allow users to
conduct flooding of other users and create client connections that are not
visible to other users connected. These vulnerabilities can create havoc
in an, otherwise, friendly chat environment.

DETAILS

Quit Flood:
Use Telnet to connect to the sever on TCP port 1812 and repeatedly send
"15\n". This will flood the chat room with messages from a non-existent
username. This makes it possible to flood the server and the chat room,
disabling other users from the ability to chat. Users can use the Java
client to recreate the same affects, by repeatability clicking on the
"join/quit", but the username would be visible.

Invisible Character:
The normal chat Java chat client renders the hexadecimal number 0xA0
(decimal 160) as a space. This allows it to appear that there are two
users connected with the same name. A user named, "The World" and,
"The\160World" would both appear to be the same user, to other users. It
is impossible to tell which user is talking in the chat room. This same
exploit can also be used to flood a user or an entire chat room with this
single character, in affect, "clearing" the screens of all connected
users.

Invisible User:
Connect to CC using Telnet. Login and send either "11\n" "21\n" "31\n" or
"35\n". The username you logged in with will no longer be sent out by the
server in its user list update. The client using this will also, no longer
receive the contents of what other users are saying in the chat room. The
client can now send message commands, but their username will not be
listed as online.

Vendor status:
Cyan was contacted on this matter on Sunday July 28th. They have informed
us of their intention to patch these bugs.

ADDITIONAL INFORMATION

The information has been provided by <mailto:chip@force-elite.com> chip.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Restricting functionality on objects: "remote access proxy" (pattern)
    ... GUI, so users with admin level will see a popup with more entries than ... where this object exists will have an interface for communicating with ... client has lost its mind and signal an exception if it has. ... about the current user's access rights in a chat. ...
    (comp.object)
  • Re: exposing michael lalonde
    ... Always select a gender-neutral username for your e-mail address or for ... username that is nothing like anything you've had before. ... such as ICQ or AOLs IM and chat rooms. ... When you reply to them, whether in a chat room, via IM, e-mail, in ...
    (sci.math.num-analysis)
  • Re: michael lalonde
    ... Always select a gender-neutral username for your e-mail address or for ... username that is nothing like anything you've had before. ... such as ICQ or AOLs IM and chat rooms. ... When you reply to them, whether in a chat room, via IM, e-mail, in ...
    (sci.electronics.repair)
  • Strange problem with JTextArea
    ... The text of one client that is send over sockets is used to call the ... ..appendfunction to display the text. ... When I run the chat GUI ... ActionListener actionListener = new ActionListener{ ...
    (comp.lang.java.gui)
  • Re: exposing michael lalonde
    ... Always select a gender-neutral username for your e-mail address or for ... username that is nothing like anything you've had before. ... such as ICQ or AOLs IM and chat rooms. ... When you reply to them, whether in a chat room, via IM, e-mail, in ...
    (sci.math.num-analysis)