[NEWS] Multiple Cyan Chat Vulnerabilites

From: support@securiteam.com
Date: 08/05/02

From: support@securiteam.com
To: list@securiteam.com
Date: Mon,  5 Aug 2002 17:18:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Cyan Chat Vulnerabilites


Cyan Chat (CC) is a simple chat protocol developed by
<http://www.cyan.com> Cyan for use of its fans. It uses the TCP port 1812
for communication. A page describing the protocol is located at:
http://cho.cyan.com/chat/protocol1.html. Several exploits allow users to
conduct flooding of other users and create client connections that are not
visible to other users connected. These vulnerabilities can create havoc
in an, otherwise, friendly chat environment.


Quit Flood:
Use Telnet to connect to the sever on TCP port 1812 and repeatedly send
"15\n". This will flood the chat room with messages from a non-existent
username. This makes it possible to flood the server and the chat room,
disabling other users from the ability to chat. Users can use the Java
client to recreate the same affects, by repeatability clicking on the
"join/quit", but the username would be visible.

Invisible Character:
The normal chat Java chat client renders the hexadecimal number 0xA0
(decimal 160) as a space. This allows it to appear that there are two
users connected with the same name. A user named, "The World" and,
"The\160World" would both appear to be the same user, to other users. It
is impossible to tell which user is talking in the chat room. This same
exploit can also be used to flood a user or an entire chat room with this
single character, in affect, "clearing" the screens of all connected

Invisible User:
Connect to CC using Telnet. Login and send either "11\n" "21\n" "31\n" or
"35\n". The username you logged in with will no longer be sent out by the
server in its user list update. The client using this will also, no longer
receive the contents of what other users are saying in the chat room. The
client can now send message commands, but their username will not be
listed as online.

Vendor status:
Cyan was contacted on this matter on Sunday July 28th. They have informed
us of their intention to patch these bugs.


The information has been provided by <mailto:chip@force-elite.com> chip.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.