####################################################################### Luigi Auriemma Application: Zilab Chat and Instant Messaging (ZIM) http://www.zilab.com/zim.shtml Versions: <= 2.1 (version reported by the installer) Platforms: Windows Bugs: A] NULL pointer crash B] various heap overflow C] requested user info buffer-overflow Exploitation: remote Date: 21 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "ZIM is slim and simple chat and instant messaging server for Windows 2003/XP/2000. Easy to install and use, ideal for use in LAN or remote VPN protected environments. ZIM supports public and private chat channels, offline messages and file transfers through the server." ####################################################################### ======= 2) Bugs ======= --------------------- A] NULL pointer crash --------------------- The server is affected by various NULL pointer vulnerabilities exploitable by an attacker who doesn't send the needed parameters (like the username at login or the creation of a room without being logged in the chat) forcing the server to use the uninitialized NULL values of the strings. ------------------------ B] various heap overflow ------------------------ ZIM is vulnerable also to some heap overflow vulnerabilities exploitable for example through a room with a name longer than 120 bytes or a long source account during the requesting of user's informations. -------------------------------------- C] requested user info buffer-overflow -------------------------------------- A stack based buffer-overflow is exploitable through the user's information query using a requested username longer than 380 bytes. All the bugs can be exploited without having an account because the login process is not required. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/zilabzcsx.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################