Bugtraq mailing list archives
BitchX exploit possibly waiting to happen, certain DoS
From: ahu () DS9A NL (bert hubert)
Date: Tue, 4 Jul 2000 00:19:50 +0200
With regards to the wu-ftpd exploits, it has come to my attention that BitchX (all recent versions), a very popular irc client amongst the sysadmin community contains code similar to wu-ftpd 2.6: logmsg(LOG_INVITE, from, 0, invite_channel); Where the last argument is a printf() style format argument. A patch is floating around which changes this line to: logmsg(LOG_INVITE, from, 0, "%s", invite_channel); See also http://bitchx.vda.nl/ Under FreeBSD 4, /invite-ing somebody to a channel with %s%s%s%s in the name causes a segmentation violation on the remote client. Linux appears not to suffer from this problem, but this is probably just a lucky break. Linux (RedHat 6.1, Debian Frozen) does die if you invite somebody to channel %n%n%n%n. As many system administrators, including very senior ones, leave their client open 24 hours a day, possibly in a screen session, this might be a real problem waiting to happen. I don't have the skills to determine if this is exploitable. I tried some basic things but was unable to set the EIP - this should not be taken as a sign that it isn't possible, however. A temporary solution is to switch to another client, like ircII, which is considered by many to be the more karmic client anyway. Thanks to Sjeemz for pointing me to this. Regards, bert hubert -- | http://www.rent-a-nerd.nl | - U N I X - | Inspice et cautus eris - D11T'95
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994 Alan J Rosenthal (Jun 30)
- <Possible follow-ups>
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- XFree86 4.0.1 and /tmp Joseph S. Myers (Jul 02)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
- Secure IRC Fabio Pietrosanti (Jul 06)
(Thread continues...)