SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Free Web Chat Vendors:   freewebchat.sourceforge.net
Free Web Chat Username Input Validation Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1010851
SecurityTracker URL:  http://securitytracker.com/id/1010851
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2004
Impact:   Denial of service via network

Version(s): Initial Release
Description:   Donato Ferrante reported two vulnerabilities in Free Web Chat. A remote user can cause denial of service conditions on the target server.

It is reported that the server does not properly validate the usrName variable in 'UserManager.java' in the addUser() function. A remote user can trigger a null pointer exception that is not properly handled.

It is also reported that a remote user can open multiple connections to the target server from the same user to cause the service to consume excessive CPU resources.

Some demonstration exploits are available at:

http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip
http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip

The vendor has reportedly been notified without response.

Impact:   A remote user can cause the chat service to crash. A remote user can also cause excessive CPU resource consumption on the target server.
Solution:   No solution was available at the time of this entry.

The author of the report has provided an unofficial patch for the 'UserManager.java' vulnerability. Replace the method addUser( Socket sock ) in UserManager.java, with the following patched method:

public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" )
{

/* start fix */
/* manage NullPointerException */
try{

if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}

}catch(NullPointerException npe){
usr.rejectUsername();
return;
}
/* end fix */

usr.sendRoomList(rmManager.getRoomList());
userHash.put( usr.getName(), usr );
rmManager.getDefaultRoom().addUser( usr );


//start the reciever thread
Thread t = new Thread(usr);
t.start();
}

}

Vendor URL:  freewebchat.sourceforge.net/ (Links to External Site)
Cause:   Exception handling error, State error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in Free Web Chat



                            Donato Ferrante


Application:  Free Web Chat
               http://sourceforge.net/projects/freewebchat/

Version:      Initial Release

Bugs:         Multiple Vulnerabilities

Date:         04-Aug-2004

Author:       Donato Ferrante
               e-mail: fdonato@autistici.org
               web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Free Web Chat is a chat applet designed to be used in a browser.
It consists of a server and a client applet. You can have multiple
rooms and unlimited user. You can also private message individuals.
Right now the administration aspect is farily minimal, but soon you
will have a robust administration gui to go along with the server
as well as the ability to connect as an administrator remotely."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

The chat server has two bugs:


[1] Denial Of Service

The chat server has an unchecked variable (in UserManager.java) that
allow users to deny the chat service, in fact we are in presence of
a NullPointerException not managed.


The NullPointerException is located in the following method of
UserManager.java:

       public void addUser( Socket sock )
       {
             User usr = new User(sock, this);
             String usrName = usr.getName();
             if (usrName != "" ) /* if used to check initialization */
                                 /* it's an error */
             {
                   /* wrong method call! */
                   /* no checks for usrName != null */
                   if (userHash.containsKey( usrName) )
                   {
                         usr.rejectUsername();
                         return;
                   }

                   usr.sendRoomList(rmManager.getRoomList());

             (...)
      }


as illustrated above the variable usrName is not checked so it may be
also null. Addictionally the method doesn't catch the exception that
may be thrown: NullPointerException.



[2] Resources Consumption

The chat server is unable to properly manage multiple connections
from the same user. In fact it will consume a lot of CPU resources.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:


[1]

    http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip


[2]

    http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not answered to my signalations.


If you want you can fix the bug [1] by using my following patch.
To fix the bug [1] replace the method: addUser( Socket sock )
in UserManager.java, with the following patched method:

       public void addUser( Socket sock )
       {
             User usr = new User(sock, this);
             String usrName = usr.getName();
             if (usrName != "" )
             {
			
                   /* start fix */
                   /* manage NullPointerException */
                   try{
				
                         if (userHash.containsKey( usrName) )
                         {
                               usr.rejectUsername();
                               return;
                         }

                   }catch(NullPointerException npe){
                         usr.rejectUsername();
                         return;
                   }
                  /* end fix */

                   usr.sendRoomList(rmManager.getRoomList());
                   userHash.put( usr.getName(), usr );
                   rmManager.getDefaultRoom().addUser( usr );


                   //start the reciever thread
                   Thread t = new Thread(usr);
                   t.start();
            }
	
       }





xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC