Broadcast crash in Chatman 1.5.1 RC1

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 09/27/04

  • Next message: David F. Skoll: "Re: Re:[3] Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue"
    Date: Mon, 27 Sep 2004 20:58:35 +0000
    To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com, vuln@secunia.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: Chatman
                  http://www.vp-soft.com/software/chatman.php
    Versions: <= 1.5.1 RC1
    Platforms: Windows
    Bug: crash
    Risk: medium
    Exploitation: remote, broadcast
    Date: 27 September 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Chatman is an intranet application combining chat (in IRC style), files
    transfer and some games.

    #######################################################################

    ======
    2) Bug
    ======

    Each data block exchanged by Chatman is constituited by a 32 bits
    number used to identify the data size.

    The amount of memory specified by this number is immediately allocated
    but if it is too big (and so allocation fails) the program terminates
    automatically.

    Also if the program uses the TCP protocol is possible to crash any
    Chatman host in the LAN simply sending a "new user" broadcast packet,
    they will automatically connect to the attacker that can passively
    exploit the bug as described previously.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/chatmanx.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    Chatman is no longer supported.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: David F. Skoll: "Re: Re:[3] Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue"