[NEWS] Free Web Chat Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/11/04

  • Next message: SecuriTeam: "[TOOL] TraceProto - Traceroute Replacement" 
    To: list@securiteam.com
Date: 11 Aug 2004 18:05:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Free Web Chat Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    " <http://sourceforge.net/projects/freewebchat/> Free Web Chat is a chat
    applet designed to be used in a browser. It consists of a server and a
    client applet. You can have multiple rooms and unlimited user. You can
    also private message individuals. Right now the administration aspect is
    fairly minimal, but soon you will have a robust administration GUI to go
    along with the server as well as the ability to connect as an
    administrator remotely."

    The Free Web Chat server suffers from two denial of service
    vulnerabilities, one regarding an un-handled NullPointerException and
    another related to CPU resource consumption.

    DETAILS

    Vulnerable Systems:
     * Initial Release

    The chat server has an unchecked variable (in UserManager.java) that allow
    users to deny the chat service, in fact we are in presence of a
    NullPointerException not managed. The NullPointerException is located in
    the following method of UserManager.java:
    public void addUser( Socket sock )
       {
          User usr = new User(sock, this);
          String usrName = usr.getName();
          if (usrName != "" ) /* if used to check initialization */
                    /* it's an error */
          {
             /* wrong method call! */
             /* no checks for usrName != null */
             if (userHash.containsKey( usrName) )
             {
                usr.rejectUsername();
                return;
             }

             usr.sendRoomList(rmManager.getRoomList());
             
          (...)
       }

    As shown above the variable usrName is not checked so it may also be null
    but the method doesn't catch the exception that might be thrown -
    NullPointerException.

    Another issue is the server's inability to manage multiple connections
    from the same user. In such an event, the server will consume a lot more
    CPU resources than it normally should. There are two proof of concept
    packages that test these two vulnerabilities:
     * NullPointerException via usrName variable -
    <http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip>
    http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip
     * Multiple user connections CPU resource consumption -
    <http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip>
    http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip

    Workaround:
    As a workaround, replace the vulnerable function 'addUser()' with the
    following, corrected version and recompile:
    public void addUser( Socket sock )
       {
          User usr = new User(sock, this);
          String usrName = usr.getName();
          if (usrName != "" )
          {
                
             /* start fix */
             /* manage NullPointerException */
             try{
                    
                if (userHash.containsKey( usrName) )
                {
                   usr.rejectUsername();
                   return;
                }

             }catch(NullPointerException npe){
                usr.rejectUsername();
                return;
             }
             /* end fix */

             usr.sendRoomList(rmManager.getRoomList());
             userHash.put( usr.getName(), usr );
             rmManager.getDefaultRoom().addUser( usr );

             //start the reciever thread
             Thread t = new Thread(usr);
             t.start();
          }
        
       }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:fdonato@autistici.org>
    Donato Ferrante.
    The original article can be found at:
    <http://www.autistici.org/fdonato/advisory/FreeWebChatInitialRelease-adv.txt> http://www.autistici.org/fdonato/advisory/FreeWebChatInitialRelease-adv.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] TraceProto - Traceroute Replacement"

    Relevant Pages