TUCoPS :: Web :: Apps :: ichat3.txt

iChat 3.0 and below allow remote users to read abritrary files. 


[ http://www.rootshell.com/ ]

Date:         Wed, 9 Sep 1998 16:19:28 -0700
From:         Jon Beaton <jon@OCOL.COM>
Subject:      bug in iChat 3.0 (maybe others)

Hi,

The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on
port 4080 as default. From what I've noticed, it just uses http, and has
a bug which lets following /../../../ be ran on the URL using any web
browser.  For example, something like:

http://chat.server.com:4080/../../../etc/passwd

will display the passwd file. With this you can view any file on the
system that 'nobody' has access to. I was only able to test this on
version 3.0 of the software, and running on Solaris. I contacted the
company about this, all they said was that if you're using 3.0, you
should upgrade to 3.03 as soon as possible.  I don't even know if this
particular bug is fixed in that version. If you can try this on other
versions and OS's, I'd like to hear about the results.

Thanks,

Jon Beaton
jon@ocol.com
jbx @ Undernet

-------------------------------------------------------------------------

Date:         Thu, 10 Sep 1998 09:56:43 +0200
From:         Renzo Toma <renzo@VERONICA.NL>
Subject:      Re: bug in iChat 3.0 (maybe others)

the host:4080/../../../etc/passwd bug has been fixed in 3.03 (checked for
the solaris 2.5 version)

Cheers,

-Renzo

-------------------------------------------------------------------------

Date:         Thu, 10 Sep 1998 09:51:42 -0400
From:         Steve Kann <stevek@STEVEK.COM>
Subject:      Re: bug in iChat 3.0 (maybe others)

They (ichat) know about this problem, and have fixed it in versions
greater than 3.00.  It's a pretty stupid problem to have in the first
place, though.

What really irked me about this when I found out about it was this:

1) I found out about it as it was being exploited by an I-chat technical
support representative, who was using it to read certain configuration
files on my machine.  He wasn't necessarily being malicious, but he
_was_ accessing files on my machine, using a security flaw in their
software, without my consent.  Not exactly an experience that gives one
a "warm/fuzzy feeling".

2) They released a version 3.00 for linux, but did not release a fixed
version for linux.  So, users running it on linux were forced to either
stop using it altogether, or live with the problem.  The third
possibility, running it in a protected chrooted environment, is what I
chose for the period of time that I needed to continue running the
software.  I figured that if they had this kind of bug, who knows how
many exploitable buffer overflows there are.

-SteveK

--
     Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502
 Personal:stevek@SteveK.COM  Business:stevek@HorizonLive.com  (212) 533-1775
    Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi
         Pertanto, non mandatemi alcuna informazione a riguardo.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH