SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  BNC Vendors:  The BNC project
BNC Input Validation Flaw in Processing Backspace Characters Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1011583
SecurityTracker URL:  http://securitytracker.com/id?1011583
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 9 2004
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 2.8.9
Description:  A vulnerability was reported in BNC. A remote user can send arbitrary commands to a bot running BNC.

The vendor reported that the software contains a flaw in the processing of the backspace character (ASCII 8). A remote user can send data that includes backspace characters to delete and replace data sent to the BNC bot to issue commands with arbitrary authentication credentials.

The vendor credits Yak with reporting this flaw.
Impact:  A remote user can execute arbitrary BNC commands with the privileges of arbitrary users.
Solution:  The vendor has issued a fixed version (2.8.9), available at:

http://www.gotbnc.com/download.html
Vendor URL:  www.gotbnc.com/index.html (Links to External Site)
Cause:  Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 9 Oct 2004 16:36:18 -0400
Subject:  http://www.gotbnc.com/changes.html#2.8.9

 
 
> 2.8.9
> 
>    1. Fixed backspace security flaw (reported by Yak)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC