Re: Possible hole in xchat

From: Ron DuFresne (dufresneat_private)
Date: Tue Jan 01 2002 - 19:45:24 PST

Next message: Nelson Sampaio Araujo Junior: "Re: Proftpd SIGSEGV"

Previous message: Rémi Cohen-Scali: "Re: blackshell tool1: SSHD vulnerability scanner"
In reply to: SirExar@crazy-horse.net: "Possible hole in xchat"
Next in thread: Korhan GURLER: "Re: Possible hole in xchat"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As per the bitchx discussion, probably not, unless the /exec -o function
can be interjected remotely by outsiders, else it would be at best a self
exploit situation. now, if this /exec -o function can be amassed via tty's
or pty's by another user on the system, or some other remote vector, then
there is an issue.

Thanks,

Ron DuFresne

On Tue, 1 Jan 2002 SirExar@crazy-horse.net wrote:

> Slackware 8.0
> 
> Xchat 1.8.5
> 
> When you excute a command using exec -o in xchat, the command is excuted 
> and the output sent to the current window.
> If you excute a command of a lengthy nature, such as 5000 characters : )
>  Xchat seg faults, this could lead to possible buffer overflow problems, 
> because the memory address is rewritten.
> I used perl -e 'print "A" x 5000' to cause the fault (/exec -o perl -e 
> 'print "A" x 5000') which should produced an EIP of 0x41414141.
> (Hex A)
> 
> GNU gdb 5.0
> Copyright 2000 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain 
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-slackware-linux"...
> (gdb) r
> Starting program: /usr/bin/xchat
> [New Thread 1024 (LWP 14486)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1024 (LWP 14486)]
> 0x80993b0 in handle_command (
>     cmd=0x41414141 <Address 0x41414141 out of bounds>, sess=0x41414141,
>     history=1094795585, nocommand=1094795585) at outbound.c:3390
> 3390    outbound.c: No such file or directory.
> (gdb)
> 
> 
> Im not sure if its exploitable or even a problem but i thought it was 
> worth a try.
> 
> -exar
> 
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Next message: Nelson Sampaio Araujo Junior: "Re: Proftpd SIGSEGV"
Previous message: Rémi Cohen-Scali: "Re: blackshell tool1: SSHD vulnerability scanner"
In reply to: SirExar@crazy-horse.net: "Possible hole in xchat"
Next in thread: Korhan GURLER: "Re: Possible hole in xchat"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 02 2002 - 10:16:58 PST