Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key).	Free Web Chat Multiple Vulnerabilities 11 Aug. 2004    Summary "Free Web Chat is a chat applet designed to be used in a browser. It consists of a server and a client applet. You can have multiple rooms and unlimited user. You can also private message individuals. Right now the administration aspect is fairly minimal, but soon you will have a robust administration GUI to go along with the server as well as the ability to connect as an administrator remotely." The Free Web Chat server suffers from two denial of service vulnerabilities, one regarding an un-handled NullPointerException and another related to CPU resource consumption.   Credit: The information has been provided by Donato Ferrante. The original article can be found at: http://www.autistici.org/fdonato/advisory/FreeWebChatInitialRelease-adv.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Initial Release The chat server has an unchecked variable (in UserManager.java) that allow users to deny the chat service, in fact we are in presence of a NullPointerException not managed. The NullPointerException is located in the following method of UserManager.java: public void addUser( Socket sock )    {       User usr = new User(sock, this);       String usrName = usr.getName();       if (usrName != "" ) /* if used to check initialization */                 /* it's an error */       {          /* wrong method call! */          /* no checks for usrName != null */          if (userHash.containsKey( usrName) )          {             usr.rejectUsername();             return;          }          usr.sendRoomList(rmManager.getRoomList());                 (...)    } As shown above the variable usrName is not checked so it may also be null but the method doesn't catch the exception that might be thrown - NullPointerException. Another issue is the server's inability to manage multiple connections from the same user. In such an event, the server will consume a lot more CPU resources than it normally should. There are two proof of concept packages that test these two vulnerabilities:  * NullPointerException via usrName variable - http://www.autistici.org/fdonato/poc/FreeWebChat[ir]DoS-poc.zip  * Multiple user connections CPU resource consumption - http://www.autistici.org/fdonato/poc/FreeWebChat[ir]RC-poc.zip Workaround: As a workaround, replace the vulnerable function 'addUser()' with the following, corrected version and recompile: public void addUser( Socket sock )    {       User usr = new User(sock, this);       String usrName = usr.getName();       if (usrName != "" )       {                       /* start fix */          /* manage NullPointerException */          try{                              if (userHash.containsKey( usrName) )             {                usr.rejectUsername();                return;             }          }catch(NullPointerException npe){             usr.rejectUsername();             return;          }          /* end fix */          usr.sendRoomList(rmManager.getRoomList());          userHash.put( usr.getName(), usr );          rmManager.getDefaultRoom().addUser( usr );          //start the reciever thread          Thread t = new Thread(usr);          t.start();       }         }  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles LedgerSMB Multiple Vulnerabilities Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability Piwik Cookie Unserialize Vulnerability Invision Power Board SQL PHP File Inclusion and SQL Injection U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability DevIL DICOM Buffer Overflow Vulnerability Marvell Driver Multiple Information Element Overflows HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution HP Color LaserJet Printers Unauthorized Access to Data and DoS KDE KDELibs Remote Array Overrun with Arbitrary Code Execution Gimp BMP Image Parsing Integer Overflow Vulnerability Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation WordPress Unrestricted File Upload Arbitrary PHP Code Execution Atheros Driver Reserved Frame DoS Vulnerability McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability  Featured Articles Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029) Virtualmin Multiple Vulnerabilities Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010) WordPress Unchecked Privileges in admin.php and Multiple Information Disclosures Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017) Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®