Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: format string bug in muh
From: Maxime Henrion (muxQUALYS.COM)
Date: Sat Sep 09 2000 - 08:53:13 CDT


muh is an IRC bouncer, a program that will allow you to use any host you have a
shell on as a relay between you and IRC. Moreover, muh stays connected when you
are not, and can log any message you receive.

The muh official homepage is : http://mind.riot.org/muh/.

The latest version, 2.05d (and probably other versions...) is vulnerable to a
format string bug which can be used to make muh crash and probably to gain the
privileges of the user running muh. Since I've not seen this in the bugtraq
archive, I post it.

Looking at the source code which display the message log in muh.c :

        irc_notice( &c_client, status.nickname, CLNT_MSGLOGSTART );

        s = ( char * )malloc( 1024 );
        while( fgets( s, 1023, messagelog ) ) {
                if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s ) - 1 ] = 0;
                irc_notice( &c_client, status.nickname, s );
        FREESTRING( s );

        irc_notice( &c_client, status.nickname, CLNT_MSGLOGEND );

The bad thing is "irc_notice( &c_client, status.nickname, s );" because if you
look at the declaration of the irc_notice() function in irc.c, you can see that
the third parameter is a format string and so, user data is supplied to the
function as a format string.

        void irc_notice( connection_type *connection, char nickname[], char *format, ... )

You can so easily make muh crash by sending some "%s%s%s%d..." to someone using
muh but not connected right now. When the user will reconnect to muh and execute
/muh read, it will crash.
As a temporary solution, you can disable logging.

Patch: replace the line :

irc_notice( &c_client, status.nickname, s );

by this one :

irc_notice( &c_client, status.nickname, "%s", s );

Best regards,
Maxime Henrion