Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5216.htm

Xchat /dns command execution vulnerability



29th Mar 2002 [SBWID-5216]
COMMAND

	Xchat /dns command execution vulnerability

SYSTEMS AFFECTED

	probably all XChat versions

PROBLEM

	Spacewalker     found      following      bug,      regarding      Xchat
	[http://www.xchat.org], a graphical IRC client :
	

	There is an issue by the way xchat handle the /exec  command,  and  more
	accuratly in the /dns command. the  /dns  should  resolve  the  host  of
	somebody, issuing the  command  \"/dns  some_nick\"  and  executes  \"%s
	%s\",prefered dns program, hostname of the person
	

	the body of the cmd_dns() function contains this,  in  common/outbound.c
	line 1474
	

	{

	sprintf (tbuf, \"/exec %s %s\", prefs.dnsprogram, nick);

	handle_command (tbuf, sess, 0, 0);

	}

	

	

	and far away, at line 1863 in the cmd_exec() function
	

	execl (\"/bin/sh\", \"sh\", \"-c\", cmd, 0);

	

	not any caracter are stripped out of cmd : if you can force a server  to
	respond a dns with \";DISPLAY=localhost:0.0;xterm\" the  command  passed
	to the execl will be
	

	\"host;DISPLAY=localhost:0.0;xterm\"

	

	which will run arbitrary  command.  Anyway,  the  executed  command  are
	printed to the channel just before execution.
	

	To exploit the hole, the attacker may force a server  to  respond  to  a
	whois command with a malformed dns.
	

	So, two conditions to exploit the vuln:
	

	 * The cible must be on your own patched server

	 * He musts run the /dns command on someone

	

SOLUTION

	For now, don\'t go on unknown servers, while a  patch  is  being  coded.
	Generaly, it\'s a bad idea to go on an unknown  server  with  xchat.  It
	trusts too much the protocols conventions and may be vulnerable in  some
	strcpy()s (like in the example).


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH