Re: bug in iChat 3.0 (maybe others)

[stevek () STEVEK COM (Steve Kann)]

On Wed, Sep 09, 1998 at 04:19:28PM -0700, Jon Beaton wrote:
> Hi,
>
> The iChat (http://www.ichat.com/) ROOMS server runs as 'nobody', and on
> port 4080 as default. From what I've noticed, it just uses http, and has
> a bug which lets following /../../../ be ran on the URL using any web
> browser.  For example, something like:
>
> http://chat.server.com:4080/../../../etc/passwd

They (ichat) know about this problem, and have fixed it in versions
greater than 3.00.  It's a pretty stupid problem to have in the first
place, though.

What really irked me about this when I found out about it was this:

1) I found out about it as it was being exploited by an I-chat technical
support representative, who was using it to read certain configuration
files on my machine.  He wasn't necessarily being malicious, but he
_was_ accessing files on my machine, using a security flaw in their
software, without my consent.  Not exactly an experience that gives one
a "warm/fuzzy feeling".

2) They released a version 3.00 for linux, but did not release a fixed
version for linux.  So, users running it on linux were forced to either
stop using it altogether, or live with the problem.  The third
possibility, running it in a protected chrooted environment, is what I
chose for the period of time that I needed to continue running the
software.  I figured that if they had this kind of bug, who knows how
many exploitable buffer overflows there are.

-SteveK

--
     Steve Kann - Horizon Live Distance Learning - 841 Broadway, Suite 502
 Personal:stevek () SteveK COM  Business:stevek () HorizonLive com  (212) 533-1775
    Non voglio il vostro prodotto o servizio, e non voglio i vostri soldi
         Pertanto, non mandatemi alcuna informazione a riguardo.