OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: BitchX exploit possibly waiting to happen, certain DoS
From: bert hubert (ahuDS9A.NL)
Date: Mon Jul 03 2000 - 17:19:50 CDT


With regards to the wu-ftpd exploits, it has come to my attention that
BitchX (all recent versions), a very popular irc client amongst the sysadmin
community contains code similar to wu-ftpd 2.6:

                logmsg(LOG_INVITE, from, 0, invite_channel);

Where the last argument is a printf() style format argument. A patch is
floating around which changes this line to:

                logmsg(LOG_INVITE, from, 0, "%s", invite_channel);

See also http://bitchx.vda.nl/

Under FreeBSD 4, /invite-ing somebody to a channel with %s%s%s%s in the name
causes a segmentation violation on the remote client. Linux appears not to
suffer from this problem, but this is probably just a lucky break. Linux
(RedHat 6.1, Debian Frozen) does die if you invite somebody to channel
%n%n%n%n.

As many system administrators, including very senior ones, leave their
client open 24 hours a day, possibly in a screen session, this might be a
real problem waiting to happen.

I don't have the skills to determine if this is exploitable. I tried some
basic things but was unable to set the EIP - this should not be taken as a
sign that it isn't possible, however.

A temporary solution is to switch to another client, like ircII, which is
considered by many to be the more karmic client anyway.

Thanks to Sjeemz for pointing me to this.

Regards,

bert hubert

--
                       |              http://www.rent-a-nerd.nl
                       |                     - U N I X -
                       |          Inspice et cautus eris - D11T'95