AOH :: HP Unsorted R :: C07-2700.HTM

Rhapsody IRC 0.28b (NICK) Multi fs and bof vulns



Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability
Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability



Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

Description:

Rhapsody is a text console IRC client for Unix operating systems. It
is small, fast, portable, easy to use and full featured. An intuitive
menu-driven user interface makes rhapsody ideal for beginner to
intermediate users.
Found buffer overflow in various functions.
source: http://sourceforge.net/projects/rhapsody/ 

Source error:

#define MAXDATASIZE 1024
char nick[MAXDATASIZE];

- command request overflow

if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){
	return(E_NONE);
}

- "connect" and "server" request overflow

if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){
	pnum = sscanf(parameters, "%s %d", server, &port);
	if (pnum < 1){
		vprint_all("Usage: /%s  [port]\n", command);
		return(E_OTHER);
	}

- "nick" request overflow

else if (strcasecmp(command, "nick") == 0){
	pnum = sscanf(parameters, "%s", nick);
	if (pnum < 1){
		vprint_all("Usage: /nick \n");
	}
	else{
		sendcmd_server(currentserver, "NICK", nick, "", currentserver->nick);
		strcpy(currentserver->lastnick, currentserver->nick);
		strcpy(currentserver->nick, nick);

	}
	return(E_OTHER);
}

- "ctcp" request overflow

else if (strcasecmp(command, "ctcp") == 0){
	if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){
		sendcmd_server(currentserver, "PRIVMSG",
create_ctcp_message(message), nick, currentserver->nick);
	}
	else vprint_all("Usage: /ctcp  |\n");
	return(E_OTHER);
}

- "dcc chat/send" request overflow

if (strcasecmp(subcommand, "chat") == 0){
	pnum = sscanf(subparameters, "%s %[^\n]", nick, message);
	if (pnum < 1){
		vprint_all("Usage: /dcc chat \n");
		return(E_OTHER);
	}

- "notice" request overflow

else if (strcasecmp(command, "notice") == 0){
	pnum = sscanf(parameters, "%s %[^\n]", nick, message);
	if (pnum < 2){
		vprint_all("Usage: /%s | \n", command);
		return(E_OTHER);
	}
	sendcmd_server(currentserver, "NOTICE", message, nick, currentserver->nick);
	return(E_OTHER);
}

- "msg" and "message" request overflow

else if (strcasecmp(command, "msg") == 0 || strcasecmp(command,
"message") == 0){
	pnum = sscanf(parameters, "%s %[^\n]", nick, message);
	if (pnum < 2){
		vprint_all("Usage: /%s  \n", command);
		return(E_OTHER);
	}
	else if (strcmp(nick, currentserver->nick) == 0) print_all("You can
not chat with yourself.\n");
	else if (!currentserver->active) print_all("Must be connected to a
server to chat.\n");
	else {
		sendcmd_server(currentserver, "PRIVMSG", message, nick, currentserver->nick);
		return(E_OTHER);
	}
}

- "chat" and "query" request overflow

else if (strcasecmp(command, "chat") == 0 || strcasecmp(command,
"query") == 0){
	chat *C;
		
	pnum = sscanf(parameters, "%s %[^\n]", nick, message);
	if (pnum < 1){
		vprint_all("Usage: /%s  \n", command);
		return(E_OTHER);
	}

- "me" and "ctcp" request format string

comm.c: 472
char *create_ctcp_message(char *message, ...){
	static char buffer[MAXDATASIZE];
        va_list ap;
	char string[MAXDATASIZE];

	va_start(ap, message);
	vsprintf(string, message, ap);
        va_end(ap);

	sprintf(buffer, "%c%s%c", 1, string, 1);
	return(buffer);
}

and other: whois, mode, topic..

-- 
.original http://intel.shacknet.nu/ 
~ starcadi

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.