|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: BitchX - more on format bugs?
From: Forever shall I be. (zinx
LINUXFREAK.COM)Date: Mon Jul 03 2000 - 10:34:09 CDT
- Next message: Ussr Labs: "Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability"
- Previous message: Clifford, Shawn A: "Recovering Passwords in Visible Systems' Razor"
- Next in thread: Christopher Schulte: "Re: BitchX - more on format bugs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has
fallen victim to the infamous format bug... All unpatched versions of
BitchX are apparently vulnerable (patch follows)..
I've done a bit of messing around myself, and I think this bug can be used
to execute arbitrary code (via %n method outlined in previous articles) --
Over here the user string (channel argument to invite) is around the 24th
argument (aka %24$n) when compiled with gcc 2.95.2 on x86 boxes running
glibc 2.1.3, it varies if your setup is different of course..
Now.. That's not to say the exploit will be portable (it won't be), or
easy (it probably won't be difficult, but it won't be easy -- you can only
use characters valid to channel names, though there are a lot.. and on
some servers, you have to prefix it with #, which makes big endian
exploits near impossible)
and by the way, I didn't find the bug, nor create the patch..
That's all folks..
-- Zinx Verituse <zinx
- TEXT/PLAIN attachment: 1.0c16-format.patch
- Next message: Ussr Labs: "Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability"
- Previous message: Clifford, Shawn A: "Recovering Passwords in Visible Systems' Razor"
- Next in thread: Christopher Schulte: "Re: BitchX - more on format bugs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]