My initial analysis of Rooms was prompted by the success of the not-dissimilar newsirc exploration, however I soon discovered some interesting points. Here's how I did it.
- Firstly, I cranked up my favourite sniffer,
Ethereal. (A sniffer is a
piece of software that monitors network traffic, usually (though
not in this case) traffic destined for another computer on the
network -- in an attempt to gain usernames and passwords).
Shortly after starting my sniffer, I created an account and joined the chat. After making sure that I'd received and sent some text (taking careful note of what this text was, so that I could find it in the sniffer output) I stopped the sniffer and closed the chat.
- Now I had an active chat session that I could analyse at the
protocol level (a protocol is the set of rules governing data transfer
-- in this case, across a network). Figure 1, below, shows what I
had to look at.
Figure 1 - The Ethereal Main WindowThe selected row in the uppermost window is the TCP packet holding the HTTP request that shows me saying the text 'asdasdasd'. This row is highlighted. The middle window of the screenshot shows the protocol breakdown in the packet (by the way, packets are the little chunks your messages get broken up in to as they pass across the internet), which is a classy feature of Ethereal. The bottom window shows the raw bytes from the packet in hexadecimal and ASCII, with the protocol breakdown's selection (HTTP) being bold bytes.
- After looking at a few packets, it became apparent that the
'firewalled java version' of the Rooms client simply
reloaded an HTML page every few seconds (a terrible and
network-intensive way of updating its display -- see the IRC protocol
RFC, above, for a better example of an interactive chat protocol).
The most interesting packet was the one highlighted in Figure 1, however, as it was me _talking_ instead of the java client listening to the channel. Using, Ethereal's 'Follow TCP Stream' option in the 'Tools' menu I was able to view the entire session with the server which took place in order to talk to the channel. Figure 2, below, shows what I saw.
Figure 2 - The Ethereal TCP Stream WindowThis is what the java-client asked my browser to send to the remote Rooms server (The other types of clients are fairly similar at this point, also). The lower section is what the server responded with. This is HyperText Transfer Protocol (HTTP). Now, just 'cause I felt like it, I tried (via telnet) sending similar data to the same place on the server without 'logging in' first. I received a different 'Location' header in return -- one that pointed to the login page. Obviously, my text hadn't gotten through. I retried, copying the cookie too, this time. Voila! -- Switching back to Netscape, I verified that 'You said, this.server.has.a.security.hole' (that's what appeared in the impersonated-client's chat frame). Joy!
By stealing another user's cookie ID (either by acting as their HTTP proxy server or by sniffing it from the network) you can effectively take over that person's position in iChat Rooms when they leave. Alternatively, you can freak them out by making them 'say' things that they never said. Retreiving the cookie from proxy logs or traffic-dumps is left as an exercise for the reader.
Here it is (v0.9). You will need a unix machine to run it on (technically you don't, but if you know how to run it under NT or another OS, you shouldn't be reading the docs ;).
./ichat-cookie.pl servername portnumber cgi-vars cookie-vars