[15617] in bugtraq
BitchX - more on format bugs?
daemon@ATHENA.MIT.EDU (Forever shall I be.)
Wed Jul 5 16:14:25 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1287686344-962638449=:437"
Message-Id: <Pine.LNX.4.21.0007031026250.437-200000@bliss.penguinpowered.com>
Date: Mon, 3 Jul 2000 10:34:09 -0500
Reply-To: "Forever shall I be." <zinx@LINUXFREAK.COM>
From: "Forever shall I be." <zinx@LINUXFREAK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-1287686344-962638449=:437
Content-Type: TEXT/PLAIN; charset=US-ASCII
Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has
fallen victim to the infamous format bug... All unpatched versions of
BitchX are apparently vulnerable (patch follows)..
I've done a bit of messing around myself, and I think this bug can be used
to execute arbitrary code (via %n method outlined in previous articles) --
Over here the user string (channel argument to invite) is around the 24th
argument (aka %24$n) when compiled with gcc 2.95.2 on x86 boxes running
glibc 2.1.3, it varies if your setup is different of course..
Now.. That's not to say the exploit will be portable (it won't be), or
easy (it probably won't be difficult, but it won't be easy -- you can only
use characters valid to channel names, though there are a lot.. and on
some servers, you have to prefix it with #, which makes big endian
exploits near impossible)
and by the way, I didn't find the bug, nor create the patch..
That's all folks..
--
Zinx Verituse <zinx@linuxfreak.com>
gpg (id 921B1558) (fp 5746 73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558)
--8323328-1287686344-962638449=:437
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="1.0c16-format.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0007031034090.437@bliss.penguinpowered.com>
Content-Description:
Content-Disposition: attachment; filename="1.0c16-format.patch"
SW5zdHJ1Y3Rpb25zOg0KDQpjZCBCaXRjaFgvc291cmNlDQpwYXRjaCA8IC9w
YXRoL3RvLzc1cDMtZm9ybWF0LnBhdGNoDQoNCkl0IHNob3VsZCBhcHBseSBj
bGVhbmx5LiAgVGhlbiByZWNvbXBpbGUgYnggYW5kIHJlc3RhcnQgeW91ciBj
bGllbnQuDQoNCi0tLSBwYXJzZS5jLm9yaWcJTW9uIEp1bCAgMyAwNToyMDo1
MSAyMDAwDQorKysgcGFyc2UuYwlNb24gSnVsICAzIDA1OjIxOjE1IDIwMDAN
CkBAIC0xMTUwLDcgKzExNTAsNyBAQA0KIAkJCQllbHNlDQogCQkJCQliaXRj
aHNheSgiUHJlc3MgJXMgdG8gam9pbiAlcyIsIHMsIGludml0ZV9jaGFubmVs
KTsNCiAJCQl9DQotCQkJbG9nbXNnKExPR19JTlZJVEUsIGZyb20sIDAsIGlu
dml0ZV9jaGFubmVsKTsNCisJCQlsb2dtc2coTE9HX0lOVklURSwgZnJvbSwg
MCwgIiVzIiwgaW52aXRlX2NoYW5uZWwpOw0KIAkJfQ0KIAkJaWYgKCEoY2hh
biA9IGxvb2t1cF9jaGFubmVsKGludml0ZV9jaGFubmVsLCBmcm9tX3NlcnZl
ciwgMCkpKQ0KIAkJCWNoZWNrX2F1dG9fam9pbihmcm9tX3NlcnZlciwgZnJv
bSwgaW52aXRlX2NoYW5uZWwsIEFyZ0xpc3RbMl0pOw0KQEAgLTEyMTEsNyAr
MTIxMSw3IEBADQogCQkJZnVkZ2Vfbmlja25hbWUoZnJvbV9zZXJ2ZXIsIDEp
Ow0KIAkJaWYgKGdldF9pbnRfdmFyKEFVVE9fUkVDT05ORUNUX1ZBUikpDQog
CQkJc2VydmVyY21kIChOVUxMLCBzYywgZW1wdHlfc3RyaW5nLCBOVUxMKTsN
Ci0JCWxvZ21zZyhMT0dfS0lMTCwgZnJvbSwgMCwgQXJnTGlzdFsxXT9BcmdM
aXN0WzFdOiIoTm8gUmVhc29uKSIpOw0KKwkJbG9nbXNnKExPR19LSUxMLCBm
cm9tLCAwLCAiJXMiLCBBcmdMaXN0WzFdP0FyZ0xpc3RbMV06IihObyBSZWFz
b24pIik7DQogCX0NCiAJdXBkYXRlX2FsbF9zdGF0dXMoY3VycmVudF93aW5k
b3csIE5VTEwsIDApOw0KIH0NCg==
--8323328-1287686344-962638449=:437--
