[prev in list] [next in list] [prev in thread] [next in thread]
List: irssi-users
Subject: Fw: xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2)
From: "Matti Hiljanen" <qvr () staff ! peliportti ! net>
Date: 2002-01-09 22:00:29
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tee-hee-hee :)
- ----- Original Message -----
From: "zen-parse" <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, January 09, 2002 11:45 AM
Subject: xchat IRC session hijacking vulnerability (versions 1.4.1,
1.4.2)
> ====================================================================
> ====== ======= xchat 1.4.2 and 1.4.3 IRC session hijacking
> vulnerability ========
> ====================================================================
> ======
>
> It is possible to trick xchat IRC clients (1.4.2, 1.4.3) into
> sending
> commands to the IRC server they are on, potentially allowing for
> social
> engineering attacks, channel takeovers, and denial of service.
>
> Vendor updates for affected versions soon.
>
> ====================================================================
> ====== ================================ Background
> ==============================
> ====================================================================
> ======
>
> The CTCP PING reply handler is designed to return the string that
> was sent to it by another client. This enables that client to
> determine the time lag between them and another user.
>
> The querying client types
> /ping nick
> which sends a command of the form:
> PRIVMSG nick :\x01PING 1027050764\x01\n
>
> Where "1027050764" was some representation of the current time, and
> \x01 is the character with the ASCII value 0x01.
> The queried client would respond with:
> NOTICE nick :\xPING 1027050764\x01\n
> and the querying client would then compare the current time with
> the time in the string.
>
> If you sent "test 1 2 3 4" as the time part, xchat would reply with
> the same string.
>
> The xchat client also has a feature which allows insertion of
> arbitrary ascii valued characters into a message.
>
> The message "This is %065 test." gets sent as "This is A test." to
> the server. (This option is disabled by default in later versions.)
>
> If these expressions are expanded on the sending client, a ping
> messsage could be sent to a user with the command:
> /msg nick %001PING 12345678%001
> which would send a string like:
> PRIVMSG nick :\x01PING 12345678\x01
>
> (To disable expansion in xchat when you are typing them, use
> '%%nnn' to send the '%nnn' literal. Eg: to send '%100x', type
> '%%100x' in the client. If your client does expansion, it would
> show up as 'dx', which can be quite annoying when discussing
> format strings.)
>
> ====================================================================
> ====== =============================== The Problem
> ==============================
> ====================================================================
> ======
>
> The PING reply handler also expands the %nnn values in replies in
> the vulnerable clients.
>
> Example exploit, By Marcus Meissner <Marcus.Meissner@caldera.de>
>
> #fupp is a channel.
> Victim is on it and has channel op status.
>
>
> Enter the command: cat xchat.exploit - | netcat server 6667
>
> (The - is necessary so we do not quit instantely)
>
> This causes vulnerable 'Victim' to give user 'exploit' channel
> operator status in channel '#fupp' on server 'server'.
>
>
> -- zen-parse
>
> ====================================================================
> ====== = ObSpam: http://mp3.com/cosv/ - You know I want
> you to. =
> ====================================================================
> ====== = 1337sp34|< @ |r(://|r(.pu||thep|ug.(0m/
> {#r00th@t,#s0c|a|} @n|) 5tuff. =
> ====================================================================
> ======
> --------------------------------------------------------------------
> ----- 1) If this message was posted to a public forum by
> zen-parse@gmx.net, it may be redistributed without modification.
> 2) In any other case the contents of this message is confidential
> and not to be distributed in any form without express permission
> from the author.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPDy9egujSq5XZ3Y5EQIYngCgnanTmaDgvoBboKa6YR94anPNktUAoJq0
c98uOi40ikVY0EnhOVyendNw
=5gWq
-----END PGP SIGNATURE-----
["xchat.exploit" (application/octet-stream)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic