Full Disclosure mailing list archives
Chatango Group Chat Web-Application Cross-Site Request Forgery Vulnerability
From: Kevin Killgore <kvkillgore () gmail com>
Date: Sun, 2 Jan 2011 21:32:26 -0600
<?KvK~ ############################################################################ Chatango Group Chat Web-Application Cross-Site Request Forgery Vulnerability ############################################################################ ++++++++++++++++++++++++ ~Application Description ++++++++++++++++++++++++ Chatango is an organization that freely provides chat box services named "Chatango groups". These groups can be accessed through either a direct connection to the Chatango group's address location or through a web page or blog that has chosen to embed the group chat application within its own HTML source. Chatango's group chat web-application is a Flex based flash application. This web-application is commonly compared to other services such as “meebly” and “xat”. Chatango groups have been created with a focus on a large variety of topics, and each group may contain hundreds of active visitors. ++++++++++++++++++++++++++ ~Vulnerability Description ++++++++++++++++++++++++++ Most Chatango groups implement the automatic embedding of images such that if one were to post "http://www.example.com/image.png" as a message, the image located at this address would result as the messages body. However, the application doesn't actually verify that the specified location actually contains an image or that it even exists. Due to the fact that the application is only able to differentiate a common hyperlink from an image to be embedded based upon the presence of a valid image file extension, it becomes possible to deceive the image loading script into believing that the link provided contains the of a valid image file simply by ensuring that the provided link is appended by a valid image file extension. By doing this, the application attempts to load the provided address as an image whether or not it actually contains an image. Due to this characteristic, the Chatango group web-application can be used as a vector for a variety of Cross-Site Request Forgery attacks. This vulnerability was originally discovered using Mozilla Firefox as a web browser. However, as the vulnerable application is flash based, this vulnerability should be applicable within any browser that is configured to allow the execution of flash applications. It should be noted that though this vulnerability may be used as an URI injection vector, URI injection is limited by specific browser and operating system URI handler configuration settings. There are primarily two parts included within a malformed "image" location used to exploit this vulnerability. The first part, as in most CSRF exploits, is the address to be referenced by the browser. The second, is the file extension appendage scheme. The success of the scheme chosen depends primarily upon the preceding address, but the last few characters included in the scheme MUST consist of a period followed by a valid image file extension. Valid image file extensions include common web image file extensions such as png, gif, jpg, jpeg, etc. Examples of possible malformed "image" locations along with a brief description of each example will follow. File extension appendage schemes will be enclosed in brackets to make them easier to identify, however they would not be included in the case of actual exploitation. ==Example 1: http://www.QuickUniqueVisits.org/[?x=.png] In this example, www.QuickUniqueVisits.com would include this location in the message body of a post on a Chatango group, which would result in a seemingly blank post. However, this address would be loaded within the browser of each active visitor of the Chatango group, resulting in www.QuickUniqueVisits.com obtaining an amount of unique visits equal to the amount of the group’s current active visitors as well as any visitor who views the page within the next 35 posts, or even any user who chooses to view previous posts including this message. ==Example 2: http://bank.com/transfer.do?acct=BOB&amount=100000[&junk=.jpg] This example would be implemented in the same manner as the previous example. However instead of simply generating quick unique visits, this address would transfer $100000 from the account of any user currently logged in at "bank.com" to BOB's account. The same rules in terms of persistence apply to this example, as they would in most cases. ==Example 3: http://smallurl.com/a1b2c3[/.gif] (http://smallurl.com/a1b2c3 = URIscheme:do(something);) This final example demonstrates the use of URL shortening services to obfuscate URI locators other than HTTP so that the application may attempt to load third party applications through the visitor's browser. An example of such a case would include the obfuscation of the "mailto" URI in attempt to access "Outlook Express" on a visitor's Windows computer, which may then lead to the exploitation of "Outlook Express" which may include a method of obtaining remote code execution. As this vulnerability may be used as an attack vector for such exploits and there at does exist a (undisclosed) method of obtaining remote code execution via Outlook Express, this vulnerability as whole should be considered fairly dangerous, as the most user's I've witness in one group exceeded 2000. Also, there exists many more powerful URI schemes than "mailto" such as "telnet" which may establish a connection a remote machine, Skype’s "callto" which may initiate a Skype call to the specified number, and "javascript" which may be used to execute JavaScript functions within a visitor's browser. Luckily, URI schemes are filtered by most URL shortening services. Also, this sort of attack can be stopped in its tracks if the browser's URI handling rules are properly set. They can be configured in "about:config" for Mozilla Firefox as well as in Window's Registry Editor for other browsers. +++++++++++ ~Conclusion +++++++++++ There exists the possibility of using this exploit as the basis for a Flash based DDoS script which uses Chatango groups as a zombification medium, among many other automated exploitation purposes. I've contacted Chatango in regards to this vulnerability some time ago; I've not received an responsive email. As far as I'm aware, all versions of the group chat application are vulnerable. Original Document Location: http://xkvk.zzl.org/KvK-1.txt ~KvK?>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Chatango Group Chat Web-Application Cross-Site Request Forgery Vulnerability Kevin Killgore (Jan 03)