==========================================================================
======= xchat 1.4.2 and 1.4.3 IRC session hijacking vulnerability ========
==========================================================================
It is possible to trick xchat IRC clients (1.4.2, 1.4.3) into sending
commands to the IRC server they are on, potentially allowing for social
engineering attacks, channel takeovers, and denial of service.
Vendor updates for affected versions soon.
==========================================================================
================================ Background ==============================
==========================================================================
The CTCP PING reply handler is designed to return the string that was sent
to it by another client. This enables that client to determine the time
lag between them and another user.
The querying client types
/ping nick
which sends a command of the form:
PRIVMSG nick :\x01PING 1027050764\x01\n
Where "1027050764" was some representation of the current time, and \x01
is the character with the ASCII value 0x01.
The queried client would respond with:
NOTICE nick :\xPING 1027050764\x01\n
and the querying client would then compare the current time with the time
in the string.
If you sent "test 1 2 3 4" as the time part, xchat would reply with the
same string.
The xchat client also has a feature which allows insertion of arbitrary
ascii valued characters into a message.
The message "This is %065 test." gets sent as "This is A test." to the
server. (This option is disabled by default in later versions.)
If these expressions are expanded on the sending client, a ping messsage
could be sent to a user with the command:
/msg nick %001PING 12345678%001
which would send a string like:
PRIVMSG nick :\x01PING 12345678\x01
(To disable expansion in xchat when you are typing them, use '%%nnn' to
send the '%nnn' literal. Eg: to send '%100x', type '%%100x' in the
client. If your client does expansion, it would show up as 'dx', which
can be quite annoying when discussing format strings.)
==========================================================================
=============================== The Problem ==============================
==========================================================================
The PING reply handler also expands the %nnn values in replies in the
vulnerable clients.
Example exploit, By Marcus Meissner <Marcus.Meissnerat_private>
#fupp is a channel.
Victim is on it and has channel op status.
Enter the command: cat xchat.exploit - | netcat server 6667
(The - is necessary so we do not quit instantely)
This causes vulnerable 'Victim' to give user 'exploit' channel operator
status in channel '#fupp' on server 'server'.
-- zen-parse
==========================================================================
= ObSpam: http://mp3.com/cosv/ - You know I want you to. =
==========================================================================
= 1337sp34|< @ |r(://|r(.pu||thep|ug.(0m/ {#r00th@t,#s0c|a|} @n|) 5tuff. =
==========================================================================
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parseat_private, it
may be redistributed without modification.
2) In any other case the contents of this message is confidential and not
to be distributed in any form without express permission from the author.
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 12:34:55 PST