Xchat /dns command execution vulnerability

[SpaceWalker <spacewalker () altern org>]

Xchat - Remote command execution

name            : Xchat
date            : 27/3/2002
description     : Xchat is a graphical IRC client widely used in the linux and *bsd
community
severity        : Low risk
homepage        : www.xchat.org
versions        : probably all
Bug description :

There is an issue by the way xchat handle the /exec command, and more
accuratly in the /dns command.
the /dns should resolve the host of somebody, issuing the command
"/dns some_nick"
and executes
"%s %s",prefered dns program, hostname of the person

the body of the cmd_dns() function contains this, in common/outbound.c line 1474
{
sprintf (tbuf, "/exec %s %s", prefs.dnsprogram, nick);
handle_command (tbuf, sess, 0, 0);
}

and far away, at line 1863 in the cmd_exec() function
execl ("/bin/sh", "sh", "-c", cmd, 0);
not any caracter are stripped out of cmd : if you can force a server to
respond a dns with ";DISPLAY=localhost:0.0;xterm"
the command passed to the execl will be
"host;DISPLAY=localhost:0.0;xterm"
which will run arbitrary command.
Anyway, the executed command are printed to the channel just before
execution.
To exploit the hole, the attacker may force a server to respond to a whois
command with a malformed dns.
So, two conditions to exploit the vuln:
* The cible must be on your own patched server
* He musts run the /dns command on someone

Solution        :
For now, don't go on unknown servers, while a patch is being coded.
Generaly, it's a bad idea to go on an unknown server with xchat. It trusts
too much the protocols conventions and may be vulnerable in some strcpy()s
(like in the example).

Spacewalker <spacewalker () altern org>