Multiple Cyan Chat Exploits
Date: Fri, 2 Aug 2002 15:31:47 -0700
From: chip <chip@force-elite.com>
To: bugtraq <bugtraq@securityfocus.com>
Subject: Multiple Cyan Chat Exploits
+ Summary +
Several exploits allow users to conduct flooding of other users and create client
connections that are not visible to other users connected. These vulnerabilities
can create havoc in an, otherwise, friendly chat environment.
+ About Cyan Chat +
Cyan Chat (CC) is a simple chat protocol developed by Cyan
[http://www.cyan.com] for use of its fans. It uses the TCP port 1812 for
communication. A page describing the protocol is located at:
http://cho.cyan.com/chat/protocol1.html
The Java Client, that has, traditionally, been the most common means of access,
is located at: http://cho.cyan.com/chat/standard/chat.html
The main CC web site can be found at: http://cho.cyan.com/chat/
+ Vendor Contact +
Cyan was contacted on this matter on Sunday July 28th.
They have informed me of their intention to patch these bugs.
+ Quit Flood Exploit +
Use Telnet to connect to the sever on TCP port 1812 and repeatedly send "15\n."
This will flood the chat room with messages from a non-existent user-name
quitting (appears to be the client connection number). It is possible to flood the
server, disabling other users to chat.
Users can, also, use the Java client and repeatedly click on the "join/quit" button
to produce a similar affect, but the user-name submitted would be visible.
+ Invisible Character Exploit +
The normal chat Java chat client renders the haxadecimal number 0xA0
(decimal 160) as a space. This allows it to appear that there are two users
connected with the same name. A user named, "The World," and, "The\160World,"
would both appear to be the same user, to other users. It is impossible to tell which
user is talking in the chat room. This same exploit has been, previously, used to
flood an user or the entire chat room with this single character repeating; to, in
affect, "clear" the screens of all connected users.
+ Invisible User Exploit +
Connect to CC using Telnet. Login and send either "11\n" "21\n" "31\n" or
"35\n". The user-name you logged in will no longer be sent out by the server in
its user list update. The client using this will, also, no longer receive the contents
of what other users are saying in the chat room. The client can now send message
commands, but their user-name is not listed as online. A user can login as under
their normal name, and, if a previously made invisible client is already connected
and has logged in as that name, it can appear to talk as that user. An example
(Win32 client) that automates this, which was
written by Kyle Devies [kdevies@neo.rr.com], is available at:
http://force-elite.com/~chip/cc-ml-1.0.exe
+ Solutions +
Cyan's Chat server is a closed source program without any binaries available for
download. A server, which was written by Paul Querna [chip@force-elite.com],
that implements the CC protocol and is not vulnerable to these exploits is located
at: http://mhs.mead.k12.wa.us/~chip/chat/
+ Credit +
Combined work of:
Paul Querna - chip - chip@force-elite.com
Matt Witkowski - The World - MJW2286@hotmail.com
Matt Wallace - Carrad - carrad_of_dni@yahoo.com
Kyle Devies - Myst Librarian - kdevies@neo.rr.com
