The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Free Web Chat Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
" <http://sourceforge.net/projects/freewebchat/> Free Web Chat is a chat
applet designed to be used in a browser. It consists of a server and a
client applet. You can have multiple rooms and unlimited user. You can
also private message individuals. Right now the administration aspect is
fairly minimal, but soon you will have a robust administration GUI to go
along with the server as well as the ability to connect as an
administrator remotely."
The Free Web Chat server suffers from two denial of service
vulnerabilities, one regarding an un-handled NullPointerException and
another related to CPU resource consumption.
DETAILS
Vulnerable Systems:
* Initial Release
The chat server has an unchecked variable (in UserManager.java) that allow
users to deny the chat service, in fact we are in presence of a
NullPointerException not managed. The NullPointerException is located in
the following method of UserManager.java:
public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" ) /* if used to check initialization */
/* it's an error */
{
/* wrong method call! */
/* no checks for usrName != null */
if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}
usr.sendRoomList(rmManager.getRoomList());
(...)
}
As shown above the variable usrName is not checked so it may also be null
but the method doesn't catch the exception that might be thrown -
NullPointerException.
Another issue is the server's inability to manage multiple connections
from the same user. In such an event, the server will consume a lot more
CPU resources than it normally should. There are two proof of concept
packages that test these two vulnerabilities:
* NullPointerException via usrName variable -
<http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip>
http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip
* Multiple user connections CPU resource consumption -
<http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip>
http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip
Workaround:
As a workaround, replace the vulnerable function 'addUser()' with the
following, corrected version and recompile:
public void addUser( Socket sock )
{
User usr = new User(sock, this);
String usrName = usr.getName();
if (usrName != "" )
{
/* start fix */
/* manage NullPointerException */
try{
if (userHash.containsKey( usrName) )
{
usr.rejectUsername();
return;
}
}catch(NullPointerException npe){
usr.rejectUsername();
return;
}
/* end fix */
usr.sendRoomList(rmManager.getRoomList());
userHash.put( usr.getName(), usr );
rmManager.getDefaultRoom().addUser( usr );
//start the reciever thread
Thread t = new Thread(usr);
t.start();
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:fdonato@autistici.org>
Donato Ferrante.
The original article can be found at:
<http://www.autistici.org/fdonato/advisory/FreeWebChatInitialRelease-adv.txt>
http://www.autistici.org/fdonato/advisory/FreeWebChatInitialRelease-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
