####################################################################### Luigi Auriemma Application: TinTin++ / WinTin++ http://tintin.sourceforge.net Versions: <= 1.97.9 Platforms: Windows, Linux and Mac Bugs: A] chat buffer-overflow B] chat YES NULL pointer C] chat home folder empty files creation Exploitation: remote Date: 06 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== TinTin++ is a well known MUD client. ####################################################################### ======= 2) Bugs ======= The #chat command available in TinTin++ binds a TCP port (4050 by default) used to receive chat messages and files from the other clients. ----------------------- A] chat buffer-overflow ----------------------- Exists a buffer-overflow vulnerability in add_line_buffer() where word_wrap() makes the input string double due to conversion of line feeds in CR/LF. The way I have found to exploit this vulnerability is through the chat_printf() function used for building of the "Unterminated command: %d %s" string when the program receives data without a 0xff delimiter. TinTin++ handles the data received through read/recv (max 19000 chars) directly without waiting the entire data block as it was sent, anyway the vulnerability has been successfully tested and confirmed on Internet too. ------------------------ B] chat YES NULL pointer ------------------------ The presence of the line feed char in the "YES:" message is not verified allowing an attacker to crash the TinTin++ program due to the resulted NULL pointer. From chat.c: int process_chat_input(struct chat_data *buddy) ... sep = strchr(buf, '\n'); *sep++ = 0; ... ---------------------------------------- C] chat home folder empty files creation ---------------------------------------- TinTin++ can receive files from other people in the incoming folder which by default is the home one (~ on Unix and %USERPROFILE% in Windows) but naturally is needed that the user accepts the file for receiving it. The problem is that the file specified by the sender is created before accepting or declining it so is possible for an attacker to overwrite the existent files (subdirectories cannot be specified) with empty ones. For example is possible to clear the configuration files like .bashrc or .inputrc or ntuser.ini and so on. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/rintintin.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################