Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: unix5216.htm

Xchat /dns command execution vulnerability
29th Mar 2002 [SBWID-5216]

	Xchat /dns command execution vulnerability


	probably all XChat versions


	Spacewalker     found      following      bug,      regarding      Xchat
	[], a graphical IRC client :

	There is an issue by the way xchat handle the /exec  command,  and  more
	accuratly in the /dns command. the  /dns  should  resolve  the  host  of
	somebody, issuing the  command  \"/dns  some_nick\"  and  executes  \"%s
	%s\",prefered dns program, hostname of the person

	the body of the cmd_dns() function contains this,  in  common/outbound.c
	line 1474


	sprintf (tbuf, \"/exec %s %s\", prefs.dnsprogram, nick);

	handle_command (tbuf, sess, 0, 0);




	and far away, at line 1863 in the cmd_exec() function

	execl (\"/bin/sh\", \"sh\", \"-c\", cmd, 0);


	not any caracter are stripped out of cmd : if you can force a server  to
	respond a dns with \";DISPLAY=localhost:0.0;xterm\" the  command  passed
	to the execl will be



	which will run arbitrary  command.  Anyway,  the  executed  command  are
	printed to the channel just before execution.

	To exploit the hole, the attacker may force a server  to  respond  to  a
	whois command with a malformed dns.

	So, two conditions to exploit the vuln:

	 * The cible must be on your own patched server

	 * He musts run the /dns command on someone



	For now, don\'t go on unknown servers, while a  patch  is  being  coded.
	Generaly, it\'s a bad idea to go on an unknown  server  with  xchat.  It
	trusts too much the protocols conventions and may be vulnerable in  some
	strcpy()s (like in the example).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH