OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: format string bug in muh
From: Kris Kennaway (krisFREEBSD.ORG)
Date: Sat Sep 09 2000 - 23:39:51 CDT


On Sat, 9 Sep 2000, Maxime Henrion wrote:

> The latest version, 2.05d (and probably other versions...) is
> vulnerable to a format string bug which can be used to make muh crash
> and probably to gain the privileges of the user running muh. Since
> I've not seen this in the bugtraq archive, I post it.

Actually there were a couple of other bad-looking ones I just patched in
FreeBSD:

--- src/muh.c.orig Sun Mar 19 04:08:27 2000
+++ src/muh.c Sat Sep 9 21:32:15 2000
-575,7 +575,7
                 if( strcmp( param2 + 2, "USERINFO\1" ) == 0 )
                     irc_notice( &c_server, nick, USERINFOREPLY );
                 if( strncmp( param2 + 2, "PING", 4 ) == 0 ) {
- if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, param2 + 1 );
+ if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, "%s", param2 + 1 );
                 }
                 if( strcmp( param2 + 2, "CLIENTINFO\1" ) == 0 )
                     irc_notice( &c_server, nick, CLIENTINFOREPLY );
-591,7 +591,7
         }
         else { /* normale message/notice */
             if( !is_ignore( hostname, IGNORE_MESSAGE ) && status.allowreply ) {
- if( cfg.awaynotice ) irc_notice( &c_server, nick, cfg.awaynotice );
+ if( cfg.awaynotice ) irc_notice( &c_server, nick, "%s", cfg.awaynotice );
                 add_ignore( hostname, 120, IGNORE_MESSAGE );
                 status.allowreply = 0;
                 timers.reply = 0;
-841,7 +841,7
             s = ( char * )malloc( 1024 );
             while( fgets( s, 1023, messagelog ) ) {
                 if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s ) - 1 ] = 0;
- irc_notice( &c_client, status.nickname, s );
+ irc_notice( &c_client, status.nickname, "%s", s );
             }
             FREESTRING( s );

Kris