Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11206
HistoryJan 27, 2006 - 12:00 a.m.

[ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat

2006-01-2700:00:00
vulners.com
31

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-003

  • Original release date: January 12, 2006
  • Last revised: January 23, 2006
  • Discovered by: Jesus Olmos Gonzalez
  • Severity: 4/5
    =============================================

I. VULNERABILITY

Arbitrary flash code remote execution in 123flashchat.
Admin account scalation.

II. BACKGROUND

123 Flash Chat is a full featured java chat server and flash chat
client, the product homepage is www.123flashchat.com and it is
possible to test it at:

http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf

III. DESCRIPTION

The flash chat client uses too much the eval sentence, in most of
cases there is vulnerable becouse there is included variables in the
eval, and users can change the value of them.

If we can write in a eval, we can inject code, if our user name has
the character ; we could write code inside the client.

If its possible to write code, a cracker can convet his user to an
admin by changing his variables. Is possible to inject to other
clients too.

let's see the vulnerable code:

function openOneAVWindow(username) {
var i = 0;
if (i < roomUsers.length) {
var user = roomUsers[i];
if (user.name == username)
{
if (eval("root.avmc" + user.name) == "")

if our username is:
x;user.name= a;user.name=ADMIN_AVATAR_NAME;//

the eval will be:
eval("_root.avmc_a;user.name=ADMIN_AVATAR_NAME;//");

and this will be executed when a window is opened:
user.name=ADMIN_AVATAR_NAME;

Is not possible a username with the " character, then is possible to
use the ADMIN_AVATAR_NAME constat wich value is "admin".

IV. PROOF OF CONCEPT

We have not exploited sucsessfuly, but there is the vulnerability.

V. BUSINESS IMPACT

VI. SYSTEMS AFFECTED

This vulnerability affects the 123flaschat server up to 5.1
(released on Dec 22, 2005)

VII. SOLUTION

No patch available yet.

VIII. REFERENCES

IX. CREDITS

This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos=at=isecauditors=dot=com).

X. REVISION HISTORY

January 13, 2006: Initial release.
Jaunary 23, 2006: Update the Vendor response.

XI. DISCLOSURE TIMELINE

January 04, 2006 The vulnerability discovered by Internet Security
Auditors.
January 13, 2006 Initial vendor notification sent.
January 23, 2006 Vendor confirm that this is corrected in v5.1_2 i

XII. LEGAL NOTICES