Author Topic: Vulnerabilities in SlackChat :)  (Read 7870 times)

0 Members and 3 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Vulnerabilities in SlackChat :)
« on: November 17, 2005, 11:10:54 am »
*pokes tmp*

Set your home directory to a very long string
Quote
iago@slayer:~$ sudo usermod -d `perl -e "print 'A'x10000"` iago
iago@slayer:~$ slackchat
Segmentation fault
iago@slayer:~$ gdb slackchat
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run
Starting program: /usr/local/bin/slackchat

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
I know, you need root, and that's boring. 

How about a...... format string vuln?

Type "%08X-%08X-%08X-%08X-%08X-%08X-%08X-  ****%s**** -%08X-%08X-%08X" into the chat window, then press left.  :-o!

The parameter with the *'s around it is the one that points to the format string in memory.  If you wanted to take control of the program, you can take advantage of that parameter.  Just tell them "Hey, paste this into your window", with the exploit code.  Woo!

This is nothing serious, 100% local and useless attack.  But hopefully Tmp will see this.  :-)

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Vulnerabilities in SlackChat :)
« Reply #1 on: November 17, 2005, 11:43:46 am »
Another thing which isn't a vulnerability: backspace doens't work for me.  For some reason, backspace sends the character 0x7F. 

Also, I can't seem to read the hashfiles unless I have write access to them. 

Finally, is there some way to put the hashfiles in a different folder?  I'd like to try this on my school's computer, but I don't have root, so I can't make folders in /usr/local. 

Good job, though, I couldn't figure out how to do input properly so I used your code for inspiration, and now it's working perfectly for me :)

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Vulnerabilities in SlackChat :)
« Reply #2 on: November 17, 2005, 07:12:12 pm »
Good job, this is really interesting stuff. ::)

Btw, backspace stuff is documented. RTFM
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Vulnerabilities in SlackChat :)
« Reply #3 on: November 17, 2005, 09:02:42 pm »
Good job, this is really interesting stuff. ::)

Btw, backspace stuff is documented. RTFM

Why RTFM when there's a simple fix?  I'm doing ncurses stuff for a school project, and I had to figure it out myself because I couldn't rip it from Tmp :)

Btw, somebody who sees him on IRC, point him to this thread.

<edit> I RTFM'd, and it explains how to fix that in PuTTy.  For some reason, that doesn't help me. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Vulnerabilities in SlackChat :)
« Reply #4 on: November 17, 2005, 09:10:18 pm »
Good job, this is really interesting stuff. ::)

Btw, backspace stuff is documented. RTFM

Why RTFM when there's a simple fix? I'm doing ncurses stuff for a school project, and I had to figure it out myself because I couldn't rip it from Tmp :)

Btw, somebody who sees him on IRC, point him to this thread.

<edit> I RTFM'd, and it explains how to fix that in PuTTy. For some reason, that doesn't help me.

You had the same problem I did before RTFM, so I assumed it would have a similar solution (Linux keys or whatever it is.)
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Vulnerabilities in SlackChat :)
« Reply #5 on: November 17, 2005, 10:01:09 pm »
Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Vulnerabilities in SlackChat :)
« Reply #6 on: November 20, 2005, 07:33:25 pm »
Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency. >:(
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Vulnerabilities in SlackChat :)
« Reply #7 on: November 20, 2005, 08:34:17 pm »
Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency. >:(

What's so not straight up about it?

And eww @ transparency.  I only use it because I like the font. 

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Vulnerabilities in SlackChat :)
« Reply #8 on: November 21, 2005, 12:46:52 am »
Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency. >:(

What's so not straight up about it?

And eww @ transparency.  I only use it because I like the font. 

The only straight up terminal is xterm. The rest are modified. :)

If you like the font, why not use rxvt? :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Vulnerabilities in SlackChat :)
« Reply #9 on: November 21, 2005, 01:04:14 am »
Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency. >:(

What's so not straight up about it?

And eww @ transparency.  I only use it because I like the font. 

The only straight up terminal is xterm. The rest are modified. :)

If you like the font, why not use rxvt? :P

Why is xterm the straight up one?  Who decided that?  What's wrong with using the tty terminal before you ever get to X, that seems more straight up to me? 

I consider anything without a considerable difference to be normal.  I don't know of any terminals for Linux that are weird, but I'm thinking Windows clients, and possibly KDE or Gnome's built in client. 

And I use aterm because I've always used aterm.  It works perfectly, so why change?  Plus, my shortcut key to run it is alt-a, so if I change to rxvt that won't make any sense!

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Vulnerabilities in SlackChat :)
« Reply #10 on: November 21, 2005, 01:05:54 am »
Why is xterm the straight up one?  Who decided that?  What's wrong with using the tty terminal before you ever get to X, that seems more straight up to me? 

I didn't know what to call the tty terminals, so I decided to use xterm instead. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Vulnerabilities in SlackChat :)
« Reply #11 on: November 21, 2005, 03:28:38 pm »
I like Konsole, its nice, clean, and full of features. :)
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Vulnerabilities in SlackChat :)
« Reply #12 on: November 21, 2005, 05:42:10 pm »
I like Konsole, its nice, clean, and full of features. :)
It's not clean at all!

Having no features = clean. 

:-)

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Vulnerabilities in SlackChat :)
« Reply #13 on: November 21, 2005, 08:54:42 pm »
I like Konsole, its nice, clean, and full of features. :)
It's not clean at all!

Having no features = clean. 

:-)
No... clean = Not a milion trillion buttons everywhere.
And like a fool I believed myself, and thought I was somebody else...

Offline mynameistmp

  • Full Member
  • ***
  • Posts: 111
  • Hi! I'm new here!
    • View Profile
Re: Vulnerabilities in SlackChat :)
« Reply #14 on: November 22, 2005, 04:49:30 am »
Set your home directory to a very long string
Fixed.

Quote
How about a...... format string vuln?

Type "%08X-%08X-%08X-%08X-%08X-%08X-%08X-  ****%s**** -%08X-%08X-%08X" into the chat window, then press left.  :-o!
Fixed.

Quote
Also, I can't seem to read the hashfiles unless I have write access to them. 
Should work fine now.

Quote
Finally, is there some way to put the hashfiles in a different folder?  I'd like to try this on my school's computer, but I don't have root, so I can't make folders in /usr/local.

The hashfiles can be stored in ~/slackchat/slackchat_bin/ and it should run fine.

Update available: www.javaop.com/~tmp

Thanks for the bug testing.