grab cookie information with Melange Chat Server 1.10

2006.02.22
Credit: Nexus
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2006-0917
CWE: CWE-Other


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

A common problem has been found by many sites running the Melange Chat Server (Here on out states as m-chat). M-Chat is a simple IRC like chat program for private websites. it can be ran from a java script, by using the browser to connect to the host on port 6666 (hence www.host.com:6666). However this service also allows for a telnet session to be connect in order to use the server and here in lies the problem. By logging into M-chat through a telnet connection, one is able to monitor the http connections comming in on that port. In most cases the person logging on using the browser based chat has their entire header displayed to any currently in a raw telnet session. Below is a a short article of this big being put into se on a effect hack. Source: http://www.oh2600.com/forum/viewtopic.php?t=43 By: Nexus Background: What is Aimforum.com? Aimforum.com Is/Was a rather popular America Online Instant Messanger Forum. The site has a large gathering of rather intelligent young kids. However the forum is now seeing hard time...... Why was it hacked? As such would happen AimForum.com's new onwer did not see eye to eye with the older vetern members of the Forum. The forum, which was a underground forum talking about "illegal AIM" activities was converted over to a open public system with no illegal posts or chatter were permitted, was bound to cause conflict. After many many member being banned a few people had decided to take the matter witihin their own hands and prove a point, which would lead to a call to the FBI........here is how it was done Many sites today run a low level chat system known as Melange Chat, better known as M-Chat which server as a simple inner site IRC server. Aimforum.com is no different in this matter. A major flaw with M-chat is that when it is access via a web browser it displays critical cookie information to anyone witin the server. By simply telneting to www.site.com:6666 <http://www.site.com:6666> one can site within the telnet session and wait....... Step One: Setting the trap The "Hackers" logged into the M-Chat via telnet. They sat and waited for their target to get online.......Now once the Admin was online, a simple IM to him offering a link to www.aimforum.com:6666 <http://www.aimforum.com:6666> was all that was needed, the admin was sent right to the M-chat port and this cookie and browser header was then displayed within the M-chat channel. Step Two: Putting the information to use. Now that they aquired the admin's header information, it was time for them to put things into action. They husseled to their firefox directory (as it was a firefox cookie) and cleared their entire cookie cache, then would open Firefox, and log into aimforum.com with their own( or a hacked, didn't matter) account. This would allow them to get the cookie set. Once the cookie was grabbed they closed firefox, openned the cookie file and edited the "bbuser" field from 3315(which is the normal user level) to 419, i think it was(which is the admin user level) and then changed the "bbhash" from whatever it was they had to the admins hash. Now with this all done they now have the same cookie information as the targeted admin did.....It was time for the third and final step Step Three: Executing the Hack Having the same cookie information as the said Admin, they simply only needed to open their Firefox, and direct themselves back to www.aimforum.com. <http://www.aimforum.com.> And in the instant was greeted with the "Welcome [Username Removed]" They were in.... Now from here they could have done anything, a simple new thread to say "blah blah you were explioted" or anything else to prove their point and get out....But they decided to take a more Destructive approch to their plans. As the small team of kids went through the newly hacked forum they began to delete threads, posts and information. Years of topics, and useful information was gone in minutes. From here the exploit was done and they felt satisfied, but it was not over, they had to prove even further that they were "l33t h3x0r d00ds" they created a new announcement on the forum which was dsiplayed on the front page annoucnign they(using their handles/usernames) had hacked and owned the forum.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top