SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  Rediff Bol Vendors:  rediff.com
Rediff Bol Instant Messaging Client Sends Authentication Data in the Clear and Permits Remote Users to Terminate Sessions
SecurityTracker Alert ID:  1005997
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 28 2003
Impact:  Denial of service via network, Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 2.0.2
Description:  Several vulnerabilities were reported in the Rediff Bol messaging client. A remote user can cause a target user's session to terminate in certain situations. The software also sends the user's login data over the network without encryption.

It is reported that a remote user can send a specially crafted URL ("rbol:rlogin") to the target user. If the target user loads the URL, their Rediff Bol application will log the user out. Sometimes, the target user will be required to terminate the 'bol.exe' application via the Task Manager in order to restart the application.

It is also reported that a remote user with access to the network connection between a target user and the messaging server can sniff the target user's authentication credentials. The Rediff Bol client reportedly sends authentication information over the network without encryption.
Impact:  A remote user can cause a target user's session to terminate when the target user loads a malicious URL.

A remote user with access to the messaging traffic can view the target user's password when it is transmitted over the network.
Solution:  No solution was available at the time of this entry. The author of the report indicates that, as a partial workaround, you can temporarily delete or disable the "Rbol:" protocol from the 'HKCR\rbol' registry key to prevent the 'bol.exe' handler from running when the user loads a URL with the "Rbol:" protocol.
Vendor URL:  bol.rediff.com/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Windows (Any)
Reported By:  S G Masood <sgmasood@yahoo.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 22 Jan 2003 15:27:07 -0800 (PST)
From:  S G Masood <sgmasood@yahoo.com>
Subject:  Security Issues in Rediff Bol Messenger 

 

Security Issues in Rediff Bol Messenger 



The widely used Indian Instant Messaging service
"Rediff Bol(Ver. 2.0.2)" by www.rediff.com has a few
security problems. The major one is that a malicious
user can logout a user by "feeding" a specially ;))
constructed URL to him.  


1.Malicious logging out of a user: Rediff Bol
registers a URL protocol "Rbol:" with its main
executable bol.exe as the handler. Therefore, when a
URL starting with "rbol:" (without the quotes) is
accessed, bol.exe is launched and the parameters are
passed to it for further action.

In this case, when the URL "rbol:login" is accessed
(through a browser, for instance), the application
misbehaves and logs out the user. Further, he will not
be able to login again unless bol.exe is completely is
terminated and restarted. I say "completely
terminated" because sometimes, after exploitation,
just pressing "exit" will not stop bol.exe completely
until it is killed from the taskmanager.

This is further exacerbated because the email service
provided by www.rediff.com does not have *any* kind of
malicious scripting check and therefore is prone to
all kinds of XSS attacks. Consequently, if 'A' wants
to chuck 'B' out of a 'Rediff Bol' session, he can
send an HTML mail to B's Rediffmail account which,
when opened, will redirect him to the "rbol:login"
URL. This will logout 'B' out of 'Bol'. 

And, of course, the HTML mail will contain something
like:
<script>
window.location="rbol:login"
</script>

Solution: Deleting/disabling the "Rbol:" protocol from
the 'HKCR\rbol' registry key will solve the problem
until the vendor provides a more graceful solution ;).
According to my investigation, the "Rbol:" protocol is
presently not used by Bol to provide any core service
and therefore it can probably be safely disabled.


2. Unencrypted Transfer of Account/Authentication
Information: When a user logs in to Rediff Bol, the
account information (user name, password, etc) that is
transferred to the server from the client is not
encrypted in any way. Consequently, anyone sniffing
along the route can gain access to this information.

Solution: The user cannot do much to protect himself
from this kind of sniffing. This has to be resolved by
the vendor.

Regards
S.G.Masood


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC