SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   ActivePost Vendors:   activepost.net
ActivePost Lets Remote Users Upload Arbitrary Files, Detemine Passwords, and Crash the System, and D
SecurityTracker Alert ID:  1011406
SecurityTracker URL:  http://securitytracker.com/id/1011406
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 24 2004
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 3.1 and prior versions
Description:   Luigi Auriemma reported a vulnerability in ActivePost. A remote user can upload files to arbitrary locations on the target system. A remote user can determine chat room passwords. A remote user can also cause the target service to crash.

It is reported that a remote user can exploit a directory traversal flaw in the file server feature on TCP port 6004 by specifying a filename containing '../' directory traversal characters to upload files to arbitrary locations. The server will disclose the actual path location.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/actpup.zip

It is also reported that a remote user can send a filename that is longer than 4074 characters to cause the file server to crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/actpboom.zip

It is also reported that when a remote user enters the conference menu, the server will send the plain-text passwords for password-protected chat rooms over the network to the remote user. The remote user can employ a network sniffer to obtain the passwords.

The vendor has been notified without response.

Impact:   A remote user can upload files to arbitrary locations on the target system with the privileges of the ActivePost service.

A remote user can determine chat room passwords.

A remote user can also cause the target service to crash.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.activepost.net/ (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in ActivePost Standard 3.1



#######################################################################

                             Luigi Auriemma

Application:  ActivePost Standard
              http://www.activepost.net
Versions:     <= 3.1
Platforms:    Windows
Bugs:         - File-Server crash
              - File-server directory traversal and path disclosure
              - conference password disclosure
Risk:         critical
Exploitation: remote, versus server
              (only the third bug affects clients too)
Date:         23 September 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


ActivePost Standard is an interesting communication program for
companies.
It is constituited by the clients and a central server used for login,
messaging, chat, files transfer and conferences.


#######################################################################

=======
2) Bugs
=======


--------------------
A] File-Server crash
--------------------

The file-server runs on port 6004 and is used to upload files on the
server so they can be downloaded by the target users.
The problem is that an attacker is able to crash the file-server using
a filename longer than 4074 chars.
The file-server protocol is constituited by data blocks of 4104 bytes
and doesn't seem possible to cause more damage.


------------------------------------------------------
B] File-server directory traversal and path disclosure
------------------------------------------------------

This is the most critical vulnerability because lets an attacker to
upload malicious files everywhere in the disk on which is installed the
ActivePost server overwriting any existing file.
That happens exploiting a directory traversal bug in the name of the
file to upload using the slash char.
Example: /../../../windows/calc.exe
The complete real path in which the remote file has been written is
ever visible after each upload because this information is directly
sent by the server.


---------------------------------
C] conference password disclosure
---------------------------------

Everytime an user enters in the conference menu, the server sends all
the informations of the available rooms included the plain-text
passwords of those protected.
Check the following example data received from the server:

 4703 0000 0000 0000 0000 0000 0000 0000  G...............
 0000 0000 0a72 6f6f 6d20 7469 746c 6500  .....room title.
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0001 3100  ..............1.
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0e73 6563 7265 7470 6173 7377 6f72  ...secretpasswor <===
 6400 0000 0000 0000 0000 0000 0000 0000  d...............
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0003 3832  ..............82
 3100 0000 0000 0000 0000 0000 0000 0000  1...............
 0000 0138 0000 0000 0000 0000 0000 0000  ...8............
 0000 0000 0000 0017 6465 7363 7269 7074  ........descript
 696f 6e20 6f66 2074 6865 2072 6f6f 6d00  ion of the room.
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000                                ....


#######################################################################

===========
3) The Code
===========


A] http://aluigi.altervista.org/poc/actpboom.zip

B] http://aluigi.altervista.org/poc/actpup.zip

C] launch a sniffer before entering in the conference menu


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC