Melange Chat会话层报头信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195918 漏洞类型 设计错误
发布时间 2006-02-28 更新时间 2007-08-27
CVE编号 CVE-2006-0917 CNNVD-ID CNNVD-200602-420
漏洞平台 N/A CVSS评分 2.1
|漏洞来源
https://cxsecurity.com/issue/WLB-2006020067
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-420
|漏洞详情
在通过web浏览器访问MelangeChatServer(即M-Chat)时,MelangeChatServer会将服务器的cookies和其他敏感信息自动发送到相关链接中指定的任意端口,从而可使该服务器上的本地用户通过设置侦听端口并在受害用户点击链接时读取凭证,而从HTTP报头中读取cookies,并可能获取敏感信息(如凭证)。
|漏洞EXP
A common problem has been found by many sites running the Melange Chat 
Server (Here on out states as m-chat). M-Chat is a simple IRC like chat 
program for private websites. it can be ran from a java script, by using 
the browser to connect to the host on port 6666 (hence 
www.host.com:6666). However this service also allows for a telnet 
session to be connect in order to use the server and here in lies the 
problem.

By logging into M-chat through a telnet connection, one is able to 
monitor the http connections comming in on that port. In most cases the 
person logging on using the browser based chat has their entire header 
displayed to any currently in a raw telnet session. Below is a a short 
article of this big being put into se on a effect hack.

Source: http://www.oh2600.com/forum/viewtopic.php?t=43

By: Nexus

Background:

What is Aimforum.com?

Aimforum.com Is/Was a rather popular America Online Instant Messanger 
Forum. The site has a large gathering of rather intelligent young kids. 
However the forum is now seeing hard time......

Why was it hacked?

As such would happen AimForum.com's new onwer did not see eye to eye 
with the older vetern members of the Forum. The forum, which was a 
underground forum talking about "illegal AIM" activities was converted 
over to a open public system with no illegal posts or chatter were 
permitted, was bound to cause conflict. After many many member being 
banned a few people had decided to take the matter witihin their own 
hands and prove a point, which would lead to a call to the 
FBI........here is how it was done

Many sites today run a low level chat system known as Melange Chat, 
better known as M-Chat which server as a simple inner site IRC server. 
Aimforum.com is no different in this matter. A major flaw with M-chat is 
that when it is access via a web browser it displays critical cookie 
information to anyone witin the server. By simply telneting to 
www.site.com:6666 <http://www.site.com:6666> one can site within the 
telnet session and wait.......

Step One: Setting the trap

The "Hackers" logged into the M-Chat via telnet. They sat and waited for 
their target to get online.......Now once the Admin was online, a simple 
IM to him offering a link to www.aimforum.com:6666 
<http://www.aimforum.com:6666> was all that was needed, the admin was 
sent right to the M-chat port and this cookie and browser header was 
then displayed within the M-chat channel.

Step Two: Putting the information to use.

Now that they aquired the admin's header information, it was time for 
them to put things into action. They husseled to their firefox directory 
(as it was a firefox cookie) and cleared their entire cookie cache, then 
would open Firefox, and log into aimforum.com with their own( or a 
hacked, didn't matter) account. This would allow them to get the cookie 
set. Once the cookie was grabbed they closed firefox, openned the cookie 
file and edited the "bbuser" field from 3315(which is the normal user 
level) to 419, i think it was(which is the admin user level) and then 
changed the "bbhash" from whatever it was they had to the admins hash. 
Now with this all done they now have the same cookie information as the 
targeted admin did.....It was time for the third and final step

Step Three: Executing the Hack

Having the same cookie information as the said Admin, they simply only 
needed to open their Firefox, and direct themselves back to 
www.aimforum.com. <http://www.aimforum.com.> And in the instant was 
greeted with the "Welcome [Username Removed]" They were in....

Now from here they could have done anything, a simple new thread to say 
"blah blah you were explioted" or anything else to prove their point and 
get out....But they decided to take a more Destructive approch to their 
plans. As the small team of kids went through the newly hacked forum 
they began to delete threads, posts and information. Years of topics, 
and useful information was gone in minutes. From here the exploit was 
done and they felt satisfied, but it was not over, they had to prove 
even further that they were "l33t h3x0r d00ds" they created a new 
announcement on the forum which was dsiplayed on the front page 
annoucnign they(using their handles/usernames) had hacked and owned the 
forum.
|参考资料

来源:XF
名称:melange-chat-command-information-disclosure(24868)
链接:http://xforce.iss.net/xforce/xfdb/24868
来源:BID
名称:16747
链接:http://www.securityfocus.com/bid/16747
来源:BUGTRAQ
名称:20060221grabcookieinformationwithMelangeChatServer1.10
链接:http://www.securityfocus.com/archive/1/archive/1/425589/100/0/threaded
来源:MISC
链接:http://www.oh2600.com/forum/viewtopic.php?t=43
来源:SECUNIA
名称:18984
链接:http://secunia.com/advisories/18984
来源:SREASON
名称:463
链接:http://securityreason.com/securityalert/463