+ Summary + Several exploits allow users to conduct flooding of other users and create client connections that are not visible to other users connected. These vulnerabilities can create havoc in an, otherwise, friendly chat environment. + About Cyan Chat + Cyan Chat (CC) is a simple chat protocol developed by Cyan [http://www.cyan.com] for use of its fans. It uses the TCP port 1812 for communication. A page describing the protocol is located at: http://cho.cyan.com/chat/protocol1.html The Java Client, that has, traditionally, been the most common means of access, is located at: http://cho.cyan.com/chat/standard/chat.html The main CC web site can be found at: http://cho.cyan.com/chat/ + Vendor Contact + Cyan was contacted on this matter on Sunday July 28th. They have informed me of their intention to patch these bugs. + Quit Flood Exploit + Use Telnet to connect to the sever on TCP port 1812 and repeatedly send "15\n." This will flood the chat room with messages from a non-existent user-name quitting (appears to be the client connection number). It is possible to flood the server, disabling other users to chat. Users can, also, use the Java client and repeatedly click on the "join/quit" button to produce a similar affect, but the user-name submitted would be visible. + Invisible Character Exploit + The normal chat Java chat client renders the haxadecimal number 0xA0 (decimal 160) as a space. This allows it to appear that there are two users connected with the same name. A user named, "The World," and, "The\160World," would both appear to be the same user, to other users. It is impossible to tell which user is talking in the chat room. This same exploit has been, previously, used to flood an user or the entire chat room with this single character repeating; to, in affect, "clear" the screens of all connected users. + Invisible User Exploit + Connect to CC using Telnet. Login and send either "11\n" "21\n" "31\n" or "35\n". The user-name you logged in will no longer be sent out by the server in its user list update. The client using this will, also, no longer receive the contents of what other users are saying in the chat room. The client can now send message commands, but their user-name is not listed as online. A user can login as under their normal name, and, if a previously made invisible client is already connected and has logged in as that name, it can appear to talk as that user. An example (Win32 client) that automates this, which was written by Kyle Devies [kdeviesat_private], is available at: http://force-elite.com/~chip/cc-ml-1.0.exe + Solutions + Cyan's Chat server is a closed source program without any binaries available for download. A server, which was written by Paul Querna [chip@force-elite.com], that implements the CC protocol and is not vulnerable to these exploits is located at: http://mhs.mead.k12.wa.us/~chip/chat/ + Credit + Combined work of: Paul Querna - chip - chip@force-elite.com Matt Witkowski - The World - MJW2286at_private Matt Wallace - Carrad - carrad_of_dniat_private Kyle Devies - Myst Librarian - kdeviesat_private
This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 16:08:13 PDT