Realchat user impersonation - BSA 200506110001

[Andreas Beck <becka-list-bugtraq () bedatec de>]

Bedatec Security Advisory 200506110001
--------------------------------------

Discovered       : 2005-06-06
Vendor notified  : 2005-06-11
Release date     : 2005-06-23
PoC release      : around 2005-07-23
Author           : Andreas Beck <becka-sav () bedatec de>
Application      : Realchat 
Severity         : Insecure logon handling allows to impersonate any user
                   Insecure logon handling allows efficient Spambots.
                   Strange semantics of the /me command may cause minor
                   privacy breach.
Risk             : Medium (no extra privileges gained, but other users may
                   be deceived about the identity)
Vendor           : http://www.realchat.com/
Vendor status    : Vendor notified
Vendor statement : Missing feature. Will be rectified by a release that has
                   a server side user database.
Affected Versions: At least Version 3.5.1b is affected.
CVE reference    : none.


Overview:
---------

Realchat is a popular Java-Client based Chat Software used in quite some
Web communities.

Its logon-Protocol is completely unauthenticated, allowing to impersonate
any user. It is not yet clear, if it could also be exploited to gaining
administrative privileges. According to some webdesigners using the chat,
admin privileges are secured using a password mechanism. However it is
unclear how effective it is.

On a sidenote, using the "/me" command in a private chat session causes 
the Text to appear in the main Chatroom, possibly giving away private 
information.


Details:
--------

While designing an alternate chat client (the Java client is far too
heavyweight for me), I discovered, that the protocol doesn't seem to 
have any authentication.

By modifying the custom chat client to send another username, it was
possible to log on as any user.

However this kind of spoofing is often rather easy to spot, if we are
dealing with administrative accounts, as Realchat uses avatars in its 
userlist, which usually differ for admins.

However this is as well easily spoofed, as the number of the avatar
is spoofable in the same way.


Proof of concept/How to reproduce:
----------------------------------

Method 1) 

Capture the start of a Chat session.
Replay it, but replace the Username with one of the same length.
Same for the avatar number.

Details on how to do further changes (other length usernames, etc)
in the PoC-Code.


Method 2)

Use a suitable Proxy to modify the page that sets up the chat window or
save it locally and modify it. 

PoC Code:
---------

We have a simple working Chatclient that allows to use any username (even
very long names) and any avatar as well as any smiley as an avatar.
There is no support for changing rooms or starting private chat sessions
yet.

PoC code will be withheld for another month to allow webmasters using the
chat to take proper precautions, if they think the threat is worth to 
bother.


Vendor Response:
----------------

2005-06-11 -> Realchat notified via EMail
2005-06-13 <- Realchat staff got back to me stating this is a missing
              feature and that the /me hole was fixed.
2005-06-13 -> Suggested a simple HMAC-like scheme that would require
              sniffing another users session to impersonate him.
2005-06-17 <- Realchat say they will try to implement it until they have a 
              server based authentication.


Recommendations:
----------------

None yet. The problem must be solved in the chat software. Only disabling
the chat would be a viable workaround.

Don't use /me from private chat windows.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/