ircii-pana (BitchX) 74p4 overflow

From: Michal Zalewski (lcamtufat_private)
Date: Mon May 25 1998 - 02:25:02 PDT

Next message: Aleph One: "Re: Exploit: Windows95/98/ (NT?) Autorun"

Previous message: Michal Zalewski: "ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Next in thread: Brian Weiss: "Re: ircii-pana (BitchX) 74p4 overflow"
Reply: Brian Weiss: "Re: ircii-pana (BitchX) 74p4 overflow"
Reply: Brian Weiss: "Re: ircii-pana (BitchX) 74p4 overflow"
Reply: Rich Lafferty: "Re: ircii-pana (BitchX) 74p4 overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Recently I found interesting overflow in dgets(...) function in one of the
most popular irc clients, BitchX 74p4 (by panasync). You can cause remote
client crash (and possibly much more) when you're fingered (/finger
built-in command) by victim - simply create eg. .plan with line longer
than 2 kbytes.  Depending on used line (ln /dev/urandom ~/.plan is nice),
client will crash with SEGV immediately or during any next '/' command...

Dumb, isn't it? For test purposes, /finger lcamtufat_private

_______________________________________________________________________
Michal Zalewski [lcamtufat_private] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]

Next message: Aleph One: "Re: Exploit: Windows95/98/ (NT?) Autorun"
Previous message: Michal Zalewski: "ircii-pana (BitchX) 74p4 overflow - exploit/fix"
Next in thread: Brian Weiss: "Re: ircii-pana (BitchX) 74p4 overflow"
Reply: Brian Weiss: "Re: ircii-pana (BitchX) 74p4 overflow"
Reply: Brian Weiss: "Re: ircii-pana (BitchX) 74p4 overflow"
Reply: Rich Lafferty: "Re: ircii-pana (BitchX) 74p4 overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:54:25 PDT