SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   ChatMan Vendors:   Virtual Projects
ChatMan Input Validation Error Lets Remote Users Crash the Application
SecurityTracker Alert ID:  1011431
SecurityTracker URL:  http://securitytracker.com/id/1011431
CVE Reference:   CVE-2004-2151   (Links to External Site)
Updated:  Jul 2 2005
Original Entry Date:  Sep 27 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.5.1 RC1 and prior versions
Description:   Luigi Auriemma reported a vulnerability in ChatMan. A remote user can cause the application to crash.

It is reported that a remote user can send a packet with a specially crafted packet size value to trigger a memory allocation error and cause the target service to crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/chatmanx.zip

Impact:   A remote user can cause the target service to crash.
Solution:   No solution was available at the time of this entry. The report indicates that ChatMan is no longer supported.
Vendor URL:  www.vp-soft.com/software/chatman.php (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Broadcast crash in Chatman 1.5.1 RC1



#######################################################################

                             Luigi Auriemma

Application:  Chatman
              http://www.vp-soft.com/software/chatman.php
Versions:     <= 1.5.1 RC1
Platforms:    Windows
Bug:          crash
Risk:         medium
Exploitation: remote, broadcast
Date:         27 September 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Chatman is an intranet application combining chat (in IRC style), files
transfer and some games.


#######################################################################

======
2) Bug
======


Each data block exchanged by Chatman is constituited by a 32 bits
number used to identify the data size.

The amount of memory specified by this number is immediately allocated
but if it is too big (and so allocation fails) the program terminates
automatically.

Also if the program uses the TCP protocol is possible to crash any
Chatman host in the LAN simply sending a "new user" broadcast packet,
they will automatically connect to the attacker that can passively
exploit the bug as described previously.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/chatmanx.zip


#######################################################################

======
4) Fix
======


No fix.
Chatman is no longer supported.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC