by Tan Chew Keong
Release Date: 2006-08-23
A vulnerability has been found in Cool Messenger Office/School Server. When exploited, the vulnerability allows any people to logon to the messenger server as any user without requiring knowledge of any passwords.
Cool Manager version 5.0 (5,60,90,27) with Cool_CoolD 5,60,90,7
Cool Messenger Office/School Server version 5.5 (5,65,12,12) with Cool_CoolD 5,65,12,11
This advisory discloses an SQL injection vulnerability in Cool Messenger Office/School Server. The vulnerability exists when Cool_CoolD.exe is handling a user logon authentication request. It is possible to exploit the vulnerability to logon as any user to the messenger server without requiring knowledge of a password.
The vulnerability exists because Cool_CoolD.exe does not sanitise the username received from a Cool Messenger client before using it in an SQL query.
The username received from a Cool Messenger client is used to construct the following query.
CString::Format("SELECT K_MEMBERID,PASSWD FROM CD_MEMBER WHERE MEMBERID='%s';", username);
Since username is not sanitised, it is possible to manipulate the query to allow logon to the messenger server without knowing any passwords.
For example, by submitting a specially-crafted username via the Cool Messenger client:
When such an attack has occurred, the following entry will be observed in the Cool_CoolD_Log log file.
[15:40:04:406] (1184) [INFO] User "xx' union ...." logged-in, from 192.168.1.108
Patch / Workaround
According to the vendor, the vulnerability has been fixed in the following versions.
Cool Manager version 5.0 (5,60,90,28)
Cool Messenger Office/School Server version 5.5 (5,65,12,13)
2006-07-15 - Vulnerability Discovered.
2006-07-17 - Initial Vendor Notification.
2006-07-28 - Received notification that fixed Korean version has been released. Japanese version is not ready for release.
2006-08-04 - Reminder sent to vendor of Japanese version.
2006-08-16 - Reminder sent to vendor in Korea.
2006-08-16 - Received reply that fixed Japanese version will be released on 2006-08-16.
2006-08-23 - Public Disclosure.