'Fw: xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       irssi-users
Subject:    Fw: xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2)
From:       "Matti Hiljanen" <qvr () staff ! peliportti ! net>
Date:       2002-01-09 22:00:29
[Download RAW message or body]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tee-hee-hee :)


- ----- Original Message ----- 
From: "zen-parse" <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, January 09, 2002 11:45 AM
Subject: xchat IRC session hijacking vulnerability (versions 1.4.1,
1.4.2)


> ====================================================================
> ====== ======= xchat 1.4.2 and 1.4.3 IRC session hijacking
> vulnerability ========
> ====================================================================
> ======  
> 
>   It is possible to trick xchat IRC clients (1.4.2, 1.4.3) into
> sending  
>   commands to the IRC server they are on, potentially allowing for
> social  
>   engineering attacks, channel takeovers, and denial of service.
> 
>                Vendor updates for affected versions soon.
> 
> ====================================================================
> ====== ================================ Background
> ==============================
> ====================================================================
> ======  
> 
> The CTCP PING reply handler is designed to return the string that
> was sent to it by another client. This enables that client to
> determine the time  lag between them and another user.
> 
> The querying client types
>   /ping nick
> which sends a command of the form:
>   PRIVMSG nick :\x01PING 1027050764\x01\n
> 
> Where "1027050764" was some representation of the current time, and
> \x01  is the character with the ASCII value 0x01.
> The queried client would respond with:
>   NOTICE nick :\xPING 1027050764\x01\n
> and the querying client would then compare the current time with
> the time  in the string.
> 
> If you sent "test 1 2 3 4" as the time part, xchat would reply with
> the  same string.
> 
> The xchat client also has a feature which allows insertion of
> arbitrary  ascii valued characters into a message. 
> 
> The message "This is %065 test." gets sent as "This is A test." to
> the server. (This option is disabled by default in later versions.)
> 
> If these expressions are expanded on the sending client, a ping
> messsage could be sent to a user with the command:
>   /msg nick %001PING 12345678%001 
> which would send a string like:
>   PRIVMSG nick :\x01PING 12345678\x01
> 
> (To disable expansion in xchat when you are typing them, use
> '%%nnn' to  send the '%nnn' literal. Eg: to send '%100x', type
> '%%100x' in the  client. If your client does expansion, it would
> show up as 'dx', which  can be quite annoying when discussing
> format strings.)
> 
> ====================================================================
> ====== =============================== The Problem
> ==============================
> ====================================================================
> ======  
> 
> The PING reply handler also expands the %nnn values in replies in
> the  vulnerable clients.
> 
> Example exploit, By Marcus Meissner <Marcus.Meissner@caldera.de>
> 
> #fupp is a channel.
> Victim is on it and has channel op status.
> 
> 
> Enter the command: cat xchat.exploit - | netcat server 6667 
> 
> (The - is necessary so we do not quit instantely)
> 
> This causes vulnerable 'Victim' to give user 'exploit' channel
> operator status in channel '#fupp' on server 'server'.
> 
> 
> -- zen-parse
> 
> ====================================================================
> ======  =         ObSpam: http://mp3.com/cosv/ - You know I want
> you to.         = 
> ====================================================================
> ======  = 1337sp34|< @ |r(://|r(.pu||thep|ug.(0m/
> {#r00th@t,#s0c|a|} @n|) 5tuff. =
> ====================================================================
> ======
> --------------------------------------------------------------------
> ----- 1) If this message was posted to a public forum by
> zen-parse@gmx.net, it  may be redistributed without modification. 
> 2) In any other case the contents of this message is confidential
> and not  to be distributed in any form without express permission
> from the author. 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPDy9egujSq5XZ3Y5EQIYngCgnanTmaDgvoBboKa6YR94anPNktUAoJq0
c98uOi40ikVY0EnhOVyendNw
=5gWq
-----END PGP SIGNATURE-----


["xchat.exploit" (application/octet-stream)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic