#######################################################################
Luigi Auriemma
Application: TinTin++ / WinTin++
http://tintin.sourceforge.net
Versions: <= 1.97.9
Platforms: Windows, Linux and Mac
Bugs: A] chat buffer-overflow
B] chat YES NULL pointer
C] chat home folder empty files creation
Exploitation: remote
Date: 06 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
TinTin++ is a well known MUD client.
#######################################################################
=======
2) Bugs
=======
The #chat command available in TinTin++ binds a TCP port (4050 by
default) used to receive chat messages and files from the other
clients.
-----------------------
A] chat buffer-overflow
-----------------------
Exists a buffer-overflow vulnerability in add_line_buffer() where
word_wrap() makes the input string double due to conversion of line
feeds in CR/LF.
The way I have found to exploit this vulnerability is through the
chat_printf() function used for building of the
"Unterminated command: %d %s" string when the program receives data
without a 0xff delimiter.
TinTin++ handles the data received through read/recv (max 19000
chars) directly without waiting the entire data block as it was sent,
anyway the vulnerability has been successfully tested and confirmed on
Internet too.
------------------------
B] chat YES NULL pointer
------------------------
The presence of the line feed char in the "YES:" message is not
verified allowing an attacker to crash the TinTin++ program due to the
resulted NULL pointer.
From chat.c:
int process_chat_input(struct chat_data *buddy)
...
sep = strchr(buf, '\n');
*sep++ = 0;
...
----------------------------------------
C] chat home folder empty files creation
----------------------------------------
TinTin++ can receive files from other people in the incoming folder
which by default is the home one (~ on Unix and %USERPROFILE% in
Windows) but naturally is needed that the user accepts the file for
receiving it.
The problem is that the file specified by the sender is created before
accepting or declining it so is possible for an attacker to overwrite
the existent files (subdirectories cannot be specified) with empty
ones.
For example is possible to clear the configuration files like .bashrc
or .inputrc or ntuser.ini and so on.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/rintintin.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org