8208623 2002-03-27 19:20 +0100 /52 rader/ SpaceWalker <spacewalker@altern.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-27 21:54 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21601>
Ärende: Xchat /dns command execution vulnerability
------------------------------------------------------------
From: SpaceWalker <spacewalker@altern.org>
To: bugtraq@securityfocus.com
Message-ID: <20020327192048.30f6273e.spacewalker@altern.org>
Xchat - Remote command execution
name : Xchat
date : 27/3/2002
description : Xchat is a graphical IRC client widely used in the linux and *bsd
community
severity : Low risk
homepage : www.xchat.org
versions : probably all
Bug description :
There is an issue by the way xchat handle the /exec command, and more
accuratly in the /dns command.
the /dns should resolve the host of somebody, issuing the command
"/dns some_nick"
and executes
"%s %s",prefered dns program, hostname of the person
the body of the cmd_dns() function contains this, in common/outbound.c line 1474
{
sprintf (tbuf, "/exec %s %s", prefs.dnsprogram, nick);
handle_command (tbuf, sess, 0, 0);
}
and far away, at line 1863 in the cmd_exec() function execl
("/bin/sh", "sh", "-c", cmd, 0); not any caracter are stripped out of
cmd : if you can force a server to respond a dns with
";DISPLAY=localhost:0.0;xterm" the command passed to the execl will
be "host;DISPLAY=localhost:0.0;xterm" which will run arbitrary
command. Anyway, the executed command are printed to the channel
just before execution. To exploit the hole, the attacker may force a
server to respond to a whois command with a malformed dns. So, two
conditions to exploit the vuln: * The cible must be on your own
patched server * He musts run the /dns command on someone
Solution :
For now, don't go on unknown servers, while a patch is being coded.
Generaly, it's a bad idea to go on an unknown server with xchat. It trusts
too much the protocols conventions and may be vulnerable in some strcpy()s
(like in the example).
Spacewalker <spacewalker@altern.org>
(8208623) /SpaceWalker <spacewalker@altern.org>/(Ombruten)