####################################################################### Luigi Auriemma Application: Ipswitch Instant Messaging http://www.ipswitch.com/products/instant_messaging Versions: <= 2.0.8.1 Platforms: Windows Bugs: A] pre-auth NULL pointer crash in decryption function B] format string in logging C] arbitrary empty files creation Exploitation: remote A] versus both server and clients B] versus server C] versus server Date: 07 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Ipswitch Instant Messaging (IM) is a client/server messaging software. ####################################################################### ======= 2) Bugs ======= ----------------------------------------------------- A] pre-auth NULL pointer crash in decryption function ----------------------------------------------------- IM uses the 3DES encryption with a fixed key ("ipswitch") for encrypting the network traffic and the only data which is in clear-text are the first 8 bytes exchanged at the beginning of each connection which are the version number of the program. If an attacker uses a version number equal to zero (no encryption?) will be able to crash the server due to the access to a NULL pointer during the decryption of the incoming data. Note that this bug affects both the server and client application so an attacker can easily crash all the clients in the LAN sending the malformed data to the port 5178 of each host since this is the default port on which they listen. --------------------------- B] format string in logging --------------------------- The logging function used by IM is affected by a format string vulnerability. The way I have found for exploiting this vulnerability is through a message sent to an user who has a malformed client IP string. So is possible to do this using two accounts (in my tests sending a message to himself doesn't seem to work for this bug) or in many other ways like sending a message to another user which when will reply will also exploit the vulnerability. When the server will try to connect to the IP specified by the target client it will fail since it's not a valid IP (255.255.255.255 INADDR_NONE) and will create an error message similar to the following subsequently passed directly to sprintf without the needed format argument: "Queueing message for username@host. Unexpected Error = 10049, Failed to connect to client_IP. on port client_port.." --------------------------------- C] arbitrary empty files creation --------------------------------- IM creates index files for storing pointers to the entries of its database in which are stored the messages of the users. The problem here is that these index files are created in append mode using the name of the target of the message plus the "@hostname.idx" suffix (like username@myhost.idx) without checking if the file has been created outside the Logs folder. Currently the only way I have found for writing files with arbitrary names is through the char ':' appended at the end of the target username which allows to drop the additional suffix added by the program. Anyway, although interesting, this bug can't be defined a real vulnerability since it's possible to create new files anywhere in the disk where is installed IM but is not possible to overwrite or append garbage data (the index data about I talked before) to the existent ones. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ipsimene.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################