JDKChat v1.5 Remote Integer Overflow PoC

Title: JDKChat v1.5 Remote Integer Overflow PoC
Advisory ID: ZSL-2009-4908
Type: Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 12.03.2009
Summary
JDKChat is a simple C++ chat server for GNU/Linux systems. Users can connect to it through a simple tcp client like telnet.
Description
JDKChat is prone to a remote integer-overflow vulnerability. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the application, denying service to legitimate users.

--------------------------------------------------------------------------------

aleks@tux ~ $ telnet 192.168.0.1 7777
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Welcome To jdkchat v1.5 by J.D. Koftinoff Software, Ltd.
http://www.jdkoftinoff.com/
and modified by Aditya Godbole (urwithaditya@gmx.net)
Commands available:
/who -- (list all users along with their connection numbers)
/exit -- (exit chat room)
/local -- (toggle local mode for your telnet session)
/[connection number] message -- (send private message to user at specified connection number)

JDKCHAT: Aleks just entered the room.
JDKCHAT: Users = Aleks:0
Aleks >

// And after we run the PoC :

JDKCHAT: PwNzOr just entered the room.
Aleks >Connection closed by foreign host.
aleks@tux ~ $

--------------------------------------------------------------------------------

Vendor
J.D. Koftinoff Software, ltd. - http://www.jdkoftinoff.com
Affected Version
1.5
Tested On
Gentoo, Ubuntu, Debian
Vendor Status
N/A
PoC
jdkchat_poc.pl
Credits
Vulnerability discovered by Aleksandar Lazarov - <aleks@zeroscience.mk>
References
[1] http://www.milw0rm.com/exploits/8205
[2] http://www.packetstormsecurity.org/filedesc/jdkchat-overflow.txt.html
[3] http://www.securityfocus.com/bid/34102
[4] http://securityreason.com/exploitalert/5860
[5] http://www.bugsearch.net/en/8333/JDKChat 1.5 Remote Integer Overflow PoC.html
Changelog
[12.03.2009] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk