5255092 2000-07-05 21:59 /32 rader/ Postmaster Mottagare: Bugtraq (import) <11574> Ärende: remote crash BitchX 1.0c16 ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Authentication-Warning: panasync.canuck.ca: edwards owned process doing -bs X-Sender: edwards@panasync.canuck.ca MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.10.10007032354590.985-100000@panasync.canuck.ca> Date: Tue, 4 Jul 2000 00:01:18 -0600 Reply-To: edwards@bitchx.dimension6.com Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Colten Edwards <edwards@bitchx.dimension6.com> To: BUGTRAQ@SECURITYFOCUS.COM There's a small bug in the latest BitchX in which a nasty user can invite you to a channel with a %s in it, causing the client to coredump. As alot of channels/users on irc use the client, I felt I should post a notice about this problem. A small patch is available on www.bitchx.com/downloads.html as well as on ftp.bitchx.com/pub/BitchX/1.0c16.patch This is a classic case of printf(variable); where variable contains formatting chars. I doubt very much this would lead to a root exploit, anyone running any irc client as root, should be examined professionally. I wish to thank the person who discovered this and reported it to #bitchx on efnet, as well as the many emails I received on this subject. We had a patch available for this before it widely known.. Colten Edwards panasync@efnet (5255092) ------------------------------------------(Ombruten) 5255111 2000-07-05 22:07 /73 rader/ Postmaster Mottagare: Bugtraq (import) <11575> Ärende: BitchX - more on format bugs? ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Sender: zinx@bliss.penguinpowered.com MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1287686344-962638449=:437" Message-ID: <Pine.LNX.4.21.0007031026250.437-200000@bliss.penguinpowered.com> Date: Mon, 3 Jul 2000 10:34:09 -0500 Reply-To: "Forever shall I be." <zinx@LINUXFREAK.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "Forever shall I be." <zinx@LINUXFREAK.COM> To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --8323328-1287686344-962638449=:437 Content-Type: TEXT/PLAIN; charset=US-ASCII Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has fallen victim to the infamous format bug... All unpatched versions of BitchX are apparently vulnerable (patch follows).. I've done a bit of messing around myself, and I think this bug can be used to execute arbitrary code (via %n method outlined in previous articles) -- Over here the user string (channel argument to invite) is around the 24th argument (aka %24$n) when compiled with gcc 2.95.2 on x86 boxes running glibc 2.1.3, it varies if your setup is different of course.. Now.. That's not to say the exploit will be portable (it won't be), or easy (it probably won't be difficult, but it won't be easy -- you can only use characters valid to channel names, though there are a lot.. and on some servers, you have to prefix it with #, which makes big endian exploits near impossible) and by the way, I didn't find the bug, nor create the patch.. That's all folks.. -- Zinx Verituse <zinx@linuxfreak.com> gpg (id 921B1558) (fp 5746 73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558) --8323328-1287686344-962638449=:437 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="1.0c16-format.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.21.0007031034090.437@bliss.penguinpowered.com> Content-Description: Content-Disposition: attachment; filename="1.0c16-format.patch" SW5zdHJ1Y3Rpb25zOg0KDQpjZCBCaXRjaFgvc291cmNlDQpwYXRjaCA8IC9w YXRoL3RvLzc1cDMtZm9ybWF0LnBhdGNoDQoNCkl0IHNob3VsZCBhcHBseSBj bGVhbmx5LiAgVGhlbiByZWNvbXBpbGUgYnggYW5kIHJlc3RhcnQgeW91ciBj bGllbnQuDQoNCi0tLSBwYXJzZS5jLm9yaWcJTW9uIEp1bCAgMyAwNToyMDo1 MSAyMDAwDQorKysgcGFyc2UuYwlNb24gSnVsICAzIDA1OjIxOjE1IDIwMDAN CkBAIC0xMTUwLDcgKzExNTAsNyBAQA0KIAkJCQllbHNlDQogCQkJCQliaXRj aHNheSgiUHJlc3MgJXMgdG8gam9pbiAlcyIsIHMsIGludml0ZV9jaGFubmVs KTsNCiAJCQl9DQotCQkJbG9nbXNnKExPR19JTlZJVEUsIGZyb20sIDAsIGlu dml0ZV9jaGFubmVsKTsNCisJCQlsb2dtc2coTE9HX0lOVklURSwgZnJvbSwg MCwgIiVzIiwgaW52aXRlX2NoYW5uZWwpOw0KIAkJfQ0KIAkJaWYgKCEoY2hh biA9IGxvb2t1cF9jaGFubmVsKGludml0ZV9jaGFubmVsLCBmcm9tX3NlcnZl ciwgMCkpKQ0KIAkJCWNoZWNrX2F1dG9fam9pbihmcm9tX3NlcnZlciwgZnJv bSwgaW52aXRlX2NoYW5uZWwsIEFyZ0xpc3RbMl0pOw0KQEAgLTEyMTEsNyAr MTIxMSw3IEBADQogCQkJZnVkZ2Vfbmlja25hbWUoZnJvbV9zZXJ2ZXIsIDEp Ow0KIAkJaWYgKGdldF9pbnRfdmFyKEFVVE9fUkVDT05ORUNUX1ZBUikpDQog CQkJc2VydmVyY21kIChOVUxMLCBzYywgZW1wdHlfc3RyaW5nLCBOVUxMKTsN Ci0JCWxvZ21zZyhMT0dfS0lMTCwgZnJvbSwgMCwgQXJnTGlzdFsxXT9BcmdM aXN0WzFdOiIoTm8gUmVhc29uKSIpOw0KKwkJbG9nbXNnKExPR19LSUxMLCBm cm9tLCAwLCAiJXMiLCBBcmdMaXN0WzFdP0FyZ0xpc3RbMV06IihObyBSZWFz b24pIik7DQogCX0NCiAJdXBkYXRlX2FsbF9zdGF0dXMoY3VycmVudF93aW5k b3csIE5VTEwsIDApOw0KIH0NCg== --8323328-1287686344-962638449=:437-- (5255111) ------------------------------------------(Ombruten) 5255129 2000-07-05 22:15 /54 rader/ Postmaster Mottagare: Bugtraq (import) <11577> Ärende: BitchX exploit possibly waiting to happen, certain DoS ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <20000704001949.A14132@home.ds9a.nl> Date: Tue, 4 Jul 2000 00:19:50 +0200 Reply-To: bert hubert <ahu@DS9A.NL> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: bert hubert <ahu@DS9A.NL> To: BUGTRAQ@SECURITYFOCUS.COM With regards to the wu-ftpd exploits, it has come to my attention that BitchX (all recent versions), a very popular irc client amongst the sysadmin community contains code similar to wu-ftpd 2.6: logmsg(LOG_INVITE, from, 0, invite_channel); Where the last argument is a printf() style format argument. A patch is floating around which changes this line to: logmsg(LOG_INVITE, from, 0, "%s", invite_channel); See also http://bitchx.vda.nl/ Under FreeBSD 4, /invite-ing somebody to a channel with %s%s%s%s in the name causes a segmentation violation on the remote client. Linux appears not to suffer from this problem, but this is probably just a lucky break. Linux (RedHat 6.1, Debian Frozen) does die if you invite somebody to channel %n%n%n%n. As many system administrators, including very senior ones, leave their client open 24 hours a day, possibly in a screen session, this might be a real problem waiting to happen. I don't have the skills to determine if this is exploitable. I tried some basic things but was unable to set the EIP - this should not be taken as a sign that it isn't possible, however. A temporary solution is to switch to another client, like ircII, which is considered by many to be the more karmic client anyway. Thanks to Sjeemz for pointing me to this. Regards, bert hubert -- | http://www.rent-a-nerd.nl | - U N I X - | Inspice et cautus eris - D11T'95 (5255129) ------------------------------------------(Ombruten) 5257897 2000-07-06 19:29 /66 rader/ Postmaster Mottagare: Bugtraq (import) <11610> Ärende: Re: BitchX - more on format bugs? ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Sender: schulte@pop.schulte.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-ID: <4.3.2.7.0.20000705151404.00c503f0@pop.schulte.org> Date: Wed, 5 Jul 2000 15:16:47 -0500 Reply-To: Christopher Schulte <christopher@SCHULTE.ORG> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Christopher Schulte <christopher@SCHULTE.ORG> X-To: "Forever shall I be." <zinx@LINUXFREAK.COM> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <Pine.LNX.4.21.0007031026250.437-200000@bliss.penguinpowere d.com> At 10:34 AM 7/3/00 -0500, Forever shall I be. wrote: >Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has >fallen victim to the infamous format bug... All unpatched versions of >BitchX are apparently vulnerable (patch follows).. There is also a patch for BitchX-75p3: Instructions: cd BitchX/source patch < /path/to/75p3-format.patch It should apply cleanly. Then recompile bx and restart your client. --- parse.c.orig Fri Feb 26 11:01:55 1999 +++ parse.c Mon Jul 3 05:17:14 2000 @@ -1030,7 +1030,7 @@ bitchsay("Press Ctrl-K to join %s (%s)", invite_channel, ArgList[2]); else bitchsay("Press Ctrl-K to join %s", invite_channel); - logmsg(LOG_INVITE, from, 0, invite_channel); + logmsg(LOG_INVITE, from, 0, "%s", invite_channel); } if (!(chan = lookup_channel(invite_channel, from_server, 0))) if ((w_chan = check_whowas_chan_buffer(invite_channel, 0))) @@ -1097,7 +1097,7 @@ fudge_nickname(from_server); if (get_int_var(AUTO_RECONNECT_VAR)) servercmd (NULL, sc, empty_string, NULL); - logmsg(LOG_KILL, from, 0, ArgList[1]?ArgList[1]:"(No Reason)"); + logmsg(LOG_KILL, from, 0, "%s", ArgList[1]?ArgList[1]:"(No Reason)"); } update_all_status(current_window, NULL, 0); } >-- >Zinx Verituse <zinx@linuxfreak.com> >gpg (id 921B1558) (fp 5746 73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558) -- Christopher Schulte | christopher@schulte.org cell:612.986.4859 | home:651.225.4557 | fax: 651.315.3339 page:612.264.1115 | free:877.271.9245 | site: schulte.org COMING SOON http://SchulteConsulting.COM/ reliable computer consulting at a fair price. (5257897) ------------------------------------------ 5257951 2000-07-06 19:57 /68 rader/ Postmaster Mottagare: Bugtraq (import) <11613> Ärende: Re: BitchX exploit possibly waiting to happen, certain DoS ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com Mail-Followup-To: Daniel Jacobowitz <drow@false.org>, BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1 protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.1.9i Message-ID: <20000705132353.A18723@drow.them.org> Date: Wed, 5 Jul 2000 13:23:53 -0700 Reply-To: Daniel Jacobowitz <drow@FALSE.ORG> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Daniel Jacobowitz <drow@FALSE.ORG> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000704001949.A14132@home.ds9a.nl>; from ahu@DS9A.NL on Tue Jul 04, 2000 at 12:19:50AM +0200 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 04, 2000 at 12:19:50AM +0200, bert hubert wrote: > With regards to the wu-ftpd exploits, it has come to my attention that > BitchX (all recent versions), a very popular irc client amongst the sysad= min > community contains code similar to wu-ftpd 2.6: >=20 > logmsg(LOG_INVITE, from, 0, invite_channel); >=20 > Where the last argument is a printf() style format argument. A patch is > floating around which changes this line to: >=20 > logmsg(LOG_INVITE, from, 0, "%s", invite_channel); >=20 > See also http://bitchx.vda.nl/ A patch has been available on ftp.bitchx.org for about two days now: ftp://ftp.bitchx.org/pub/BitchX/source/1.0c16-format.patch ftp://ftp.bitchx.org/pub/BitchX/source/75p3-format.patch Fixed packages for Debian 2.2 are also available, and fixed packages for Debian 2.1 are forthcoming. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan@debian.org | | dmj+@andrew.cmu.edu | \--------------------------------/ \--------------------------------/ --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5Y5lZbgOPXuCjg3cRAligAJwPw/LRPONOYiqjBkx/f7RHocCvxwCeI3PD 7MEo45774FPIPyP0wcGNPoQ= =xR3u -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J-- (5257951) ------------------------------------------ 5258024 2000-07-06 20:55 /38 rader/ Postmaster Mottagare: Bugtraq (import) <11616> Ärende: Re: remote crash BitchX 1.0c16 ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.21.0007050638140.32211-100000@crackrock.net> Date: Wed, 5 Jul 2000 06:38:42 -0700 Reply-To: mndfreeze@CRACKROCK.NET Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "Moniz, Troy" <mndfreeze@CRACKROCK.NET> X-To: Colten Edwards <edwards@bitchx.dimension6.com> To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <Pine.LNX.4.10.10007032354590.985-100000@panasync.canuck.ca> This also affects bitchx 75p3 On Tue, 4 Jul 2000, Colten Edwards wrote: > There's a small bug in the latest BitchX in which a nasty user can invite > you to a channel with a %s in it, causing the client to coredump. As alot > of channels/users on irc use the client, I felt I should post a notice > about this problem. A small patch is available on > www.bitchx.com/downloads.html as well as on > ftp.bitchx.com/pub/BitchX/1.0c16.patch > > This is a classic case of printf(variable); where variable contains > formatting chars. I doubt very much this would lead to a root exploit, > anyone running any irc client as root, should be examined professionally. > > I wish to thank the person who discovered this and reported it to #bitchx > on efnet, as well as the many emails I received on this subject. We had a > patch available for this before it widely known.. > > > Colten Edwards > panasync@efnet > (5258024) ------------------------------------------ 5258044 2000-07-06 21:13 /26 rader/ Postmaster Mottagare: Bugtraq (import) <11617> Ärende: Secure IRC ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.21.0007061545180.9092-100000@naif.inet.it> Date: Thu, 6 Jul 2000 15:53:02 +0200 Reply-To: Fabio Pietrosanti <naif@INET.IT> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Fabio Pietrosanti <naif@INET.IT> X-cc: vuln-dev@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM in the last days a buffer overflow in the irc client BitchX was discovered, so i decided to write a simple text on Securing BitchX putting it in the jail of chroot. it's possible to fetch this to http://naif.itapac.net/sirc naif naif@itapac.net (5258044) ------------------------------------------