Hey, I decided to document here in the forums how I managed to get RCE in the Habbo client by smuggling a client-side packet to trigger a lingo injection.
Note that I responsibly disclosed it to Myrax, and it was patched within less than an hour.
When attempting to edit the description of a room, a packet similar to the one below was being sent to the server.
It was at this point that I tried to set [02][01]BT[02][01] as the text in the description message, and discovered that the server was not performing the appropriate sanitization to said control characters. This made it possible to smuggle the BT packet (client-side moderation tool) the server, and all the users that opened the Hotel Navigator (if the malicious room was high on the list) would get the forged room description packet sent back by the server to their client.
The client then attempts to parse the room description packet, and when it finds the [02][01] control characters, it is fooled into thinking that's the end of the packet. It then sees the injected BT packet, and executes it. The same would also happen if they joined my room.
I know very little lingo, but I quickly took a look at its native functions and found one that allowed me to execute binaries (goToNetPage), so I pointed it to Mac's calculator as a PoC. Additionally, I had to construct my payload using numToChar(47) instead of the "/" character, since it would break the packet, and I couldn't utilize spaces as well.
Here's the final payload that I used. Red is the server-side room description packet and blue is the client-side poster position that executes lingo code.
Myrax rewarded me with 12 months of HC, coins, and a cool Bronze Habbo Tower Trophy due to the responsible disclosure. I encourage everyone to do the same (at least for RCE bugs)!
Note that I responsibly disclosed it to Myrax, and it was patched within less than an hour.
Client-side packet smuggling
After testing quite a bit and getting nowhere, I stumbled upon the room editing feature, which allows one to change the room's description, password, etc.When attempting to edit the description of a room, a packet similar to the one below was being sent to the server.
It was at this point that I tried to set [02][01]BT[02][01] as the text in the description message, and discovered that the server was not performing the appropriate sanitization to said control characters. This made it possible to smuggle the BT packet (client-side moderation tool) the server, and all the users that opened the Hotel Navigator (if the malicious room was high on the list) would get the forged room description packet sent back by the server to their client.
The client then attempts to parse the room description packet, and when it finds the [02][01] control characters, it is fooled into thinking that's the end of the packet. It then sees the injected BT packet, and executes it. The same would also happen if they joined my room.
Lingo injection
This primitive basically allowed me to force users to execute any arbitrary client-side packet I wanted. Given there are a few places in the client that utilize lingo's value() without sanitization, I was able to force the user's client to execute arbitrary lingo code using the poster position packet (originally found by Fuse - which had already been fixed in the server-side, but remained vulnerable to client-side exploitation). Here's the relevant client code if you want to check it out.I know very little lingo, but I quickly took a look at its native functions and found one that allowed me to execute binaries (goToNetPage), so I pointed it to Mac's calculator as a PoC. Additionally, I had to construct my payload using numToChar(47) instead of the "/" character, since it would break the packet, and I couldn't utilize spaces as well.
Here's the final payload that I used. Red is the server-side room description packet and blue is the client-side poster position that executes lingo code.
Myrax rewarded me with 12 months of HC, coins, and a cool Bronze Habbo Tower Trophy due to the responsible disclosure. I encourage everyone to do the same (at least for RCE bugs)!
