5255092 2000-07-05 21:59 /32 rader/ Postmaster
Mottagare: Bugtraq (import) <11574>
Ärende: remote crash BitchX 1.0c16
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Authentication-Warning: panasync.canuck.ca: edwards owned process doing -bs
X-Sender: edwards@panasync.canuck.ca
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10007032354590.985-100000@panasync.canuck.ca>
Date: Tue, 4 Jul 2000 00:01:18 -0600
Reply-To: edwards@bitchx.dimension6.com
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Colten Edwards <edwards@bitchx.dimension6.com>
To: BUGTRAQ@SECURITYFOCUS.COM
There's a small bug in the latest BitchX in which a nasty user can invite
you to a channel with a %s in it, causing the client to coredump. As alot
of channels/users on irc use the client, I felt I should post a notice
about this problem. A small patch is available on
www.bitchx.com/downloads.html as well as on
ftp.bitchx.com/pub/BitchX/1.0c16.patch
This is a classic case of printf(variable); where variable contains
formatting chars. I doubt very much this would lead to a root exploit,
anyone running any irc client as root, should be examined professionally.
I wish to thank the person who discovered this and reported it to
#bitchx on efnet, as well as the many emails I received on this
subject. We had a patch available for this before it widely known..
Colten Edwards
panasync@efnet
(5255092) ------------------------------------------(Ombruten)
5255111 2000-07-05 22:07 /73 rader/ Postmaster
Mottagare: Bugtraq (import) <11575>
Ärende: BitchX - more on format bugs?
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: zinx@bliss.penguinpowered.com
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1287686344-962638449=:437"
Message-ID: <Pine.LNX.4.21.0007031026250.437-200000@bliss.penguinpowered.com>
Date: Mon, 3 Jul 2000 10:34:09 -0500
Reply-To: "Forever shall I be." <zinx@LINUXFREAK.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Forever shall I be." <zinx@LINUXFREAK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable
text, while the remaining parts are likely unreadable without
MIME-aware tools. Send mail to mime@docserver.cac.washington.edu
for more info.
--8323328-1287686344-962638449=:437
Content-Type: TEXT/PLAIN; charset=US-ASCII
Well, I've not seen this posted to bugtraq yet, so here
goes... BitchX has fallen victim to the infamous format bug... All
unpatched versions of BitchX are apparently vulnerable (patch
follows)..
I've done a bit of messing around myself, and I think this bug can be
used to execute arbitrary code (via %n method outlined in previous
articles) -- Over here the user string (channel argument to invite)
is around the 24th argument (aka %24$n) when compiled with gcc 2.95.2
on x86 boxes running glibc 2.1.3, it varies if your setup is
different of course..
Now.. That's not to say the exploit will be portable (it won't be),
or easy (it probably won't be difficult, but it won't be easy -- you
can only use characters valid to channel names, though there are a
lot.. and on some servers, you have to prefix it with #, which makes
big endian exploits near impossible)
and by the way, I didn't find the bug, nor create the patch..
That's all folks..
-- Zinx Verituse <zinx@linuxfreak.com> gpg (id 921B1558) (fp 5746
73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558)
--8323328-1287686344-962638449=:437
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="1.0c16-format.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0007031034090.437@bliss.penguinpowered.com>
Content-Description:
Content-Disposition: attachment; filename="1.0c16-format.patch"
SW5zdHJ1Y3Rpb25zOg0KDQpjZCBCaXRjaFgvc291cmNlDQpwYXRjaCA8IC9w
YXRoL3RvLzc1cDMtZm9ybWF0LnBhdGNoDQoNCkl0IHNob3VsZCBhcHBseSBj
bGVhbmx5LiAgVGhlbiByZWNvbXBpbGUgYnggYW5kIHJlc3RhcnQgeW91ciBj
bGllbnQuDQoNCi0tLSBwYXJzZS5jLm9yaWcJTW9uIEp1bCAgMyAwNToyMDo1
MSAyMDAwDQorKysgcGFyc2UuYwlNb24gSnVsICAzIDA1OjIxOjE1IDIwMDAN
CkBAIC0xMTUwLDcgKzExNTAsNyBAQA0KIAkJCQllbHNlDQogCQkJCQliaXRj
aHNheSgiUHJlc3MgJXMgdG8gam9pbiAlcyIsIHMsIGludml0ZV9jaGFubmVs
KTsNCiAJCQl9DQotCQkJbG9nbXNnKExPR19JTlZJVEUsIGZyb20sIDAsIGlu
dml0ZV9jaGFubmVsKTsNCisJCQlsb2dtc2coTE9HX0lOVklURSwgZnJvbSwg
MCwgIiVzIiwgaW52aXRlX2NoYW5uZWwpOw0KIAkJfQ0KIAkJaWYgKCEoY2hh
biA9IGxvb2t1cF9jaGFubmVsKGludml0ZV9jaGFubmVsLCBmcm9tX3NlcnZl
ciwgMCkpKQ0KIAkJCWNoZWNrX2F1dG9fam9pbihmcm9tX3NlcnZlciwgZnJv
bSwgaW52aXRlX2NoYW5uZWwsIEFyZ0xpc3RbMl0pOw0KQEAgLTEyMTEsNyAr
MTIxMSw3IEBADQogCQkJZnVkZ2Vfbmlja25hbWUoZnJvbV9zZXJ2ZXIsIDEp
Ow0KIAkJaWYgKGdldF9pbnRfdmFyKEFVVE9fUkVDT05ORUNUX1ZBUikpDQog
CQkJc2VydmVyY21kIChOVUxMLCBzYywgZW1wdHlfc3RyaW5nLCBOVUxMKTsN
Ci0JCWxvZ21zZyhMT0dfS0lMTCwgZnJvbSwgMCwgQXJnTGlzdFsxXT9BcmdM
aXN0WzFdOiIoTm8gUmVhc29uKSIpOw0KKwkJbG9nbXNnKExPR19LSUxMLCBm
cm9tLCAwLCAiJXMiLCBBcmdMaXN0WzFdP0FyZ0xpc3RbMV06IihObyBSZWFz
b24pIik7DQogCX0NCiAJdXBkYXRlX2FsbF9zdGF0dXMoY3VycmVudF93aW5k
b3csIE5VTEwsIDApOw0KIH0NCg==
--8323328-1287686344-962638449=:437--
(5255111) ------------------------------------------(Ombruten)
5255129 2000-07-05 22:15 /54 rader/ Postmaster
Mottagare: Bugtraq (import) <11577>
Ärende: BitchX exploit possibly waiting to happen, certain DoS
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000704001949.A14132@home.ds9a.nl>
Date: Tue, 4 Jul 2000 00:19:50 +0200
Reply-To: bert hubert <ahu@DS9A.NL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: bert hubert <ahu@DS9A.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
With regards to the wu-ftpd exploits, it has come to my attention
that BitchX (all recent versions), a very popular irc client amongst
the sysadmin community contains code similar to wu-ftpd 2.6:
logmsg(LOG_INVITE, from, 0, invite_channel);
Where the last argument is a printf() style format argument. A patch
is floating around which changes this line to:
logmsg(LOG_INVITE, from, 0, "%s", invite_channel);
See also http://bitchx.vda.nl/
Under FreeBSD 4, /invite-ing somebody to a channel with %s%s%s%s in the name
causes a segmentation violation on the remote client. Linux appears not to
suffer from this problem, but this is probably just a lucky break. Linux
(RedHat 6.1, Debian Frozen) does die if you invite somebody to channel
%n%n%n%n.
As many system administrators, including very senior ones, leave
their client open 24 hours a day, possibly in a screen session, this
might be a real problem waiting to happen.
I don't have the skills to determine if this is exploitable. I tried
some basic things but was unable to set the EIP - this should not be
taken as a sign that it isn't possible, however.
A temporary solution is to switch to another client, like ircII,
which is considered by many to be the more karmic client anyway.
Thanks to Sjeemz for pointing me to this.
Regards,
bert hubert
--
| http://www.rent-a-nerd.nl
| - U N I X -
| Inspice et cautus eris - D11T'95
(5255129) ------------------------------------------(Ombruten)
5257897 2000-07-06 19:29 /66 rader/ Postmaster
Mottagare: Bugtraq (import) <11610>
Ärende: Re: BitchX - more on format bugs?
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Sender: schulte@pop.schulte.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-ID: <4.3.2.7.0.20000705151404.00c503f0@pop.schulte.org>
Date: Wed, 5 Jul 2000 15:16:47 -0500
Reply-To: Christopher Schulte <christopher@SCHULTE.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Christopher Schulte <christopher@SCHULTE.ORG>
X-To: "Forever shall I be." <zinx@LINUXFREAK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0007031026250.437-200000@bliss.penguinpowere d.com>
At 10:34 AM 7/3/00 -0500, Forever shall I be. wrote:
>Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has
>fallen victim to the infamous format bug... All unpatched versions of
>BitchX are apparently vulnerable (patch follows)..
There is also a patch for BitchX-75p3:
Instructions:
cd BitchX/source
patch < /path/to/75p3-format.patch
It should apply cleanly. Then recompile bx and restart your client.
--- parse.c.orig Fri Feb 26 11:01:55 1999
+++ parse.c Mon Jul 3 05:17:14 2000
@@ -1030,7 +1030,7 @@
bitchsay("Press Ctrl-K to join %s (%s)",
invite_channel, ArgList[2]);
else
bitchsay("Press Ctrl-K to join %s",
invite_channel);
- logmsg(LOG_INVITE, from, 0, invite_channel);
+ logmsg(LOG_INVITE, from, 0, "%s", invite_channel);
}
if (!(chan = lookup_channel(invite_channel, from_server, 0)))
if ((w_chan =
check_whowas_chan_buffer(invite_channel, 0)))
@@ -1097,7 +1097,7 @@
fudge_nickname(from_server);
if (get_int_var(AUTO_RECONNECT_VAR))
servercmd (NULL, sc, empty_string, NULL);
- logmsg(LOG_KILL, from, 0, ArgList[1]?ArgList[1]:"(No Reason)");
+ logmsg(LOG_KILL, from, 0, "%s", ArgList[1]?ArgList[1]:"(No
Reason)");
}
update_all_status(current_window, NULL, 0);
}
>--
>Zinx Verituse <zinx@linuxfreak.com>
>gpg (id 921B1558) (fp 5746 73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558)
--
Christopher Schulte | christopher@schulte.org
cell:612.986.4859 | home:651.225.4557 | fax: 651.315.3339
page:612.264.1115 | free:877.271.9245 | site: schulte.org
COMING SOON http://SchulteConsulting.COM/
reliable computer consulting at a fair price.
(5257897) ------------------------------------------
5257951 2000-07-06 19:57 /68 rader/ Postmaster
Mottagare: Bugtraq (import) <11613>
Ärende: Re: BitchX exploit possibly waiting to happen, certain DoS
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
Mail-Followup-To: Daniel Jacobowitz <drow@false.org>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1
protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J"
Content-Disposition: inline
User-Agent: Mutt/1.1.9i
Message-ID: <20000705132353.A18723@drow.them.org>
Date: Wed, 5 Jul 2000 13:23:53 -0700
Reply-To: Daniel Jacobowitz <drow@FALSE.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Daniel Jacobowitz <drow@FALSE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000704001949.A14132@home.ds9a.nl>; from ahu@DS9A.NL on Tue
Jul 04, 2000 at 12:19:50AM +0200
--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jul 04, 2000 at 12:19:50AM +0200, bert hubert wrote:
> With regards to the wu-ftpd exploits, it has come to my attention that
> BitchX (all recent versions), a very popular irc client amongst the sysad=
min
> community contains code similar to wu-ftpd 2.6:
>=20
> logmsg(LOG_INVITE, from, 0, invite_channel);
>=20
> Where the last argument is a printf() style format argument. A patch is
> floating around which changes this line to:
>=20
> logmsg(LOG_INVITE, from, 0, "%s", invite_channel);
>=20
> See also http://bitchx.vda.nl/
A patch has been available on ftp.bitchx.org for about two days now:
ftp://ftp.bitchx.org/pub/BitchX/source/1.0c16-format.patch
ftp://ftp.bitchx.org/pub/BitchX/source/75p3-format.patch
Fixed packages for Debian 2.2 are also available, and fixed packages
for Debian 2.1 are forthcoming.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
--VbJkn9YxBvnuCH5J
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5Y5lZbgOPXuCjg3cRAligAJwPw/LRPONOYiqjBkx/f7RHocCvxwCeI3PD
7MEo45774FPIPyP0wcGNPoQ=
=xR3u
-----END PGP SIGNATURE-----
--VbJkn9YxBvnuCH5J--
(5257951) ------------------------------------------
5258024 2000-07-06 20:55 /38 rader/ Postmaster
Mottagare: Bugtraq (import) <11616>
Ärende: Re: remote crash BitchX 1.0c16
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0007050638140.32211-100000@crackrock.net>
Date: Wed, 5 Jul 2000 06:38:42 -0700
Reply-To: mndfreeze@CRACKROCK.NET
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Moniz, Troy" <mndfreeze@CRACKROCK.NET>
X-To: Colten Edwards <edwards@bitchx.dimension6.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10007032354590.985-100000@panasync.canuck.ca>
This also affects bitchx 75p3
On Tue, 4 Jul 2000, Colten Edwards wrote:
> There's a small bug in the latest BitchX in which a nasty user can invite
> you to a channel with a %s in it, causing the client to coredump. As alot
> of channels/users on irc use the client, I felt I should post a notice
> about this problem. A small patch is available on
> www.bitchx.com/downloads.html as well as on
> ftp.bitchx.com/pub/BitchX/1.0c16.patch
>
> This is a classic case of printf(variable); where variable contains
> formatting chars. I doubt very much this would lead to a root exploit,
> anyone running any irc client as root, should be examined professionally.
>
> I wish to thank the person who discovered this and reported it to #bitchx
> on efnet, as well as the many emails I received on this subject. We had a
> patch available for this before it widely known..
>
>
> Colten Edwards
> panasync@efnet
>
(5258024) ------------------------------------------
5258044 2000-07-06 21:13 /26 rader/ Postmaster
Mottagare: Bugtraq (import) <11617>
Ärende: Secure IRC
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0007061545180.9092-100000@naif.inet.it>
Date: Thu, 6 Jul 2000 15:53:02 +0200
Reply-To: Fabio Pietrosanti <naif@INET.IT>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Fabio Pietrosanti <naif@INET.IT>
X-cc: vuln-dev@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
in the last days a buffer overflow in the irc client BitchX was
discovered, so i decided to write a simple text on Securing BitchX
putting it in the jail of chroot.
it's possible to fetch this to
http://naif.itapac.net/sirc
naif
naif@itapac.net
(5258044) ------------------------------------------