Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19030
HistoryFeb 07, 2008 - 12:00 a.m.

Chat vulnerabilities in TinTin++ 1.97.9

2008-02-0700:00:00
vulners.com
18
JSON

#######################################################################

                         Luigi Auriemma

Application: TinTin++ / WinTin++
http://tintin.sourceforge.net
Versions: <= 1.97.9
Platforms: Windows, Linux and Mac
Bugs: A] chat buffer-overflow
B] chat YES NULL pointer
C] chat home folder empty files creation
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

TinTin++ is a well known MUD client.

#######################################################################

=======
2) Bugs

The #chat command available in TinTin++ binds a TCP port (4050 by
default) used to receive chat messages and files from the other
clients.

A] chat buffer-overflow

Exists a buffer-overflow vulnerability in add_line_buffer() where
word_wrap() makes the input string double due to conversion of line
feeds in CR/LF.
The way I have found to exploit this vulnerability is through the
chat_printf() function used for building of the
"Unterminated command: %d %s" string when the program receives data
without a 0xff delimiter.

TinTin++ handles the data received through read/recv (max 19000
chars) directly without waiting the entire data block as it was sent,
anyway the vulnerability has been successfully tested and confirmed on
Internet too.

B] chat YES NULL pointer

The presence of the line feed char in the "YES:" message is not
verified allowing an attacker to crash the TinTin++ program due to the
resulted NULL pointer.

From chat.c:

int process_chat_input(struct chat_data *buddy)

sep = strchr(buf, '\n');

        *sep++ = 0;
        ...

C] chat home folder empty files creation

TinTin++ can receive files from other people in the incoming folder
which by default is the home one (~ on Unix and %USERPROFILE% in
Windows) but naturally is needed that the user accepts the file for
receiving it.

The problem is that the file specified by the sender is created before
accepting or declining it so is possible for an attacker to overwrite
the existent files (subdirectories cannot be specified) with empty
ones.
For example is possible to clear the configuration files like .bashrc
or .inputrc or ntuser.ini and so on.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/rintintin.zip

#######################################################################

======
4) Fix

No fix

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON