Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISecAuditors Advisories] Arbitrary flash code remote execution in 123fl

from [ISecAuditors Security Advisories] Network Security [Permanent Link]
Subject: [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat
Date: Tue, 24 Jan 2006 10:37:36 +0100 
=============================================
INTERNET SECURITY AUDITORS ALERT 2006-003
- Original release date: January 12, 2006
- Last revised: January 23, 2006
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================

I. VULNERABILITY
-------------------------
Arbitrary flash code remote execution in 123flashchat.
Admin account scalation.


II. BACKGROUND
-------------------------
123 Flash Chat is a full featured java chat server and flash chat
client, the product homepage is www.123flashchat.com and it is
possible to test it at:

http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf


III. DESCRIPTION
-------------------------
The flash chat client uses too much the eval sentence, in most of
cases there is vulnerable becouse there is included variables in the
eval, and users can change the value of them.

If we can write in a eval, we can inject code, if our user name has
the character ; we could write code inside the client.

If its possible to write code, a cracker can convet his user to an
admin by changing his variables. Is possible to inject to other
clients too.

let's see the vulnerable code:

function openOneAVWindow(username) {
        var i = 0;
        if (i < roomUsers.length)    {
                var user = roomUsers[i];
                if (user.name == username)
                {
                        if (eval("_root.avmc_" + user.name) == "")


if our username is:
      x;user.name= a;user.name=ADMIN_AVATAR_NAME;//

the eval will be:
      eval("_root.avmc_a;user.name=ADMIN_AVATAR_NAME;//");


and this will be executed when a window is opened:
user.name=ADMIN_AVATAR_NAME;

Is not possible a username with the " character, then is possible to
use the ADMIN_AVATAR_NAME constat wich value is "admin".


IV. PROOF OF CONCEPT
-------------------------
We have not exploited sucsessfuly, but there is the vulnerability.


V. BUSINESS IMPACT
-------------------------
 -


VI. SYSTEMS AFFECTED
-------------------------
This vulnerability affects the 123flaschat server up to 5.1
(released on Dec 22, 2005)


VII. SOLUTION
-------------------------
No patch available yet.

VIII. REFERENCES
-------------------------
 -

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos=at=isecauditors=dot=com).


X. REVISION HISTORY
-------------------------
January 13, 2006: Initial release.
Jaunary 23, 2006: Update the Vendor response.

XI. DISCLOSURE TIMELINE
-------------------------
January 04, 2006    The vulnerability discovered by Internet Security
Auditors.
January 13, 2006    Initial vendor notification sent.
January 23, 2006    Vendor confirm that this is corrected in v5.1_2 i

XII. LEGAL NOTICES
-------------------------
-
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat, ISecAuditors Security Advisories <=
Previous by Date:  SamiFTPd buffer overflow, admin
Next by Date:  [HSC] Multiple transversal bug in vis, spher3
Previous by Thread:  SamiFTPd buffer overflow, admin
Next by Thread:  [HSC] Multiple transversal bug in vis, spher3
Indexes:  [Date] [Thread] [Top] [All Lists]