Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Red Hat Issues Fix) Xchat IRC Client Character Expansion Bug Lets a Remote User Hijack Another User's Session and Cause Commands to Be Sent to the IRC Server from the Hijacked Client
|
|
SecurityTracker Alert ID: 1003233 |
|
SecurityTracker URL: http://securitytracker.com/id/1003233
|
|
CVE Reference:
CAN-2002-0006
(Links to External Site)
|
Date: Jan 15 2002
|
Impact:
Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.4.2 and 1.4.3
|
Description:
A vulnerability was reported in the xchat IRC chat client. A remote user can hijack another user's session and cause the other user's xchat client to send commands to the client's current IRC server.
It is reported that the CTCP PING reply handler is designed to return the string that was sent to it by another client to determine the time lag between the two systems. The xchat client apparently has another feature that allows the insertion of arbitrary ascii valued characters into a message using the format "%nnn". The PING reply handler reportedly expands the "%nnn" values in replies in the vulnerable clients. A remote user can send malicious commands separate by "%010" line feed characters that will be executed by the client.
A demonstration exploit is provided in the Source Message (it is Base 64 encoded).
|
Impact:
A remote user can hijack another user's session and cause the other user's xchat client to send commands to the client's current IRC server.
|
Solution:
The vendor has released a fix.
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/xchat-1.8.7-1.62.0.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/xchat-1.8.7-1.62.0.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/xchat-1.8.7-1.62.0.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/xchat-1.8.7-1.62.0.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/xchat-1.8.7-1.70.0.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/xchat-1.8.7-1.70.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/xchat-1.8.7-1.70.0.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/xchat-1.8.7-1.71.0.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/xchat-1.8.7-1.71.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/xchat-1.8.7-1.71.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/xchat-1.8.7-1.71.0.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/xchat-1.8.7-1.72.0.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/xchat-1.8.7-1.72.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/xchat-1.8.7-1.72.0.ia64.rpm
The verification checksums are:
MD5 sum Package Name
--------------------------------------------------------------------------
ac50d03c3107cb7c57823330abb7bcf3 6.2/en/os/SRPMS/xchat-1.8.7-1.62.0.src.rpm
33c2a42aac216fe2d5cc1703d62916c3 6.2/en/os/alpha/xchat-1.8.7-1.62.0.alpha.rpm
e2730124e349c81d884b9f6b9f10a844 6.2/en/os/i386/xchat-1.8.7-1.62.0.i386.rpm
dee6de9b586d5d480e3fb79095071c81 6.2/en/os/sparc/xchat-1.8.7-1.62.0.sparc.rpm
8abf9f7305c6ef0bb2fd271cd5a658c7 7.0/en/os/SRPMS/xchat-1.8.7-1.70.0.src.rpm
e6f6e39866ea16e685e40d0aefea8d3a 7.0/en/os/alpha/xchat-1.8.7-1.70.0.alpha.rpm
f86ff922b3983fcc466c809026d2e46f 7.0/en/os/i386/xchat-1.8.7-1.70.0.i386.rpm
097d9021c9a71802e6500e8b517afab4 7.1/en/os/SRPMS/xchat-1.8.7-1.71.0.src.rpm
561f00afdd626a0bff8adc0f0eae62a6 7.1/en/os/alpha/xchat-1.8.7-1.71.0.alpha.rpm
a7623f3a3962701985ffdaca0398edc5 7.1/en/os/i386/xchat-1.8.7-1.71.0.i386.rpm
6e6c9835b80644a8e720a7947dcc4af2 7.1/en/os/ia64/xchat-1.8.7-1.71.0.ia64.rpm
742b12acb62b256309223076098b8169 7.2/en/os/SRPMS/xchat-1.8.7-1.72.0.src.rpm
749cc3d90b7e7a8446b444446855b672 7.2/en/os/i386/xchat-1.8.7-1.72.0.i386.rpm
1beaae5afb495e11aa532bb7f76faa47 7.2/en/os/ia64/xchat-1.8.7-1.72.0.ia64.rpm
See the Source Message for the vendor's advisory containing directions on how to apply the appropriate fix.
|
Vendor URL: www.xchat.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Red Hat Linux)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 15 Jan 2002 11:08 -0500
Subject: [RHSA-2002:005-09] Updated xchat packages are available
|
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated xchat packages are available
Advisory ID: RHSA-2002:005-09
Issue date: 2002-01-07
Updated on: 2002-01-14
Product: Red Hat Linux
Keywords: xchat irc chat
Cross references:
Obsoletes:
---------------------------------------------------------------------
1. Topic:
Versions of xchat prior to version 1.8.7 contain a vulnerability
which allows an attacker to cause a vulnerable client to execute
arbitrary IRC server commands as if the vulnerable user had typed
them.
This security erratum updates xchat to version 1.8.7, which is
not vulnerable to this attack.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - alpha, i386, sparc
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386, ia64
Red Hat Linux 7.2 - i386, ia64
3. Problem description:
xchat is a popular IRC client. Recently xchat has been
found to contain a bug in the CTCP PING handling code which can
be exploited to execute IRC commands on the IRC server as the
vulnerable user. This can be used for example by an attacker
to /op or /deop, to /kick someone out of a channel, to force the
vulnerable user out of the channel with a /part, to change
channel modes via the /mode command, or to impersonate a user
via private /msg commands.
This bug does not appear to allow an attacker to execute commands
on the vulnerable computer, just to force IRC server commands to
be run as if the vulnerable user had typed them.
All previous versions of xchat are vulnerable, however only the 1.4.*
versions are vulnerable by default. With later versions (1.6.*, 1.8.*),
xchat is not vulnerable unless the user has enabled the client side
"percascii" variable with the command "/set percascii 1".
This security erratum updates xchat to version 1.8.7, for Red Hat Linux
6.2, 7.0, 7.1, 7.2, which is not vulnerable to this attack. All xchat
users should update to this release.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0006 to this issue.
Thanks to zen-parse for discovering and reporting this problem, and
also to Marcus Meissner at Caldera for providing a working sample
exploit with which to easily test for affected versions.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
6. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/xchat-1.8.7-1.62.0.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/xchat-1.8.7-1.62.0.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/xchat-1.8.7-1.62.0.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/xchat-1.8.7-1.62.0.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/xchat-1.8.7-1.70.0.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/xchat-1.8.7-1.70.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/xchat-1.8.7-1.70.0.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/xchat-1.8.7-1.71.0.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/xchat-1.8.7-1.71.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/xchat-1.8.7-1.71.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/xchat-1.8.7-1.71.0.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/xchat-1.8.7-1.72.0.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/xchat-1.8.7-1.72.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/xchat-1.8.7-1.72.0.ia64.rpm
7. Verification:
MD5 sum Package Name
--------------------------------------------------------------------------
ac50d03c3107cb7c57823330abb7bcf3 6.2/en/os/SRPMS/xchat-1.8.7-1.62.0.src.rpm
33c2a42aac216fe2d5cc1703d62916c3 6.2/en/os/alpha/xchat-1.8.7-1.62.0.alpha.rpm
e2730124e349c81d884b9f6b9f10a844 6.2/en/os/i386/xchat-1.8.7-1.62.0.i386.rpm
dee6de9b586d5d480e3fb79095071c81 6.2/en/os/sparc/xchat-1.8.7-1.62.0.sparc.rpm
8abf9f7305c6ef0bb2fd271cd5a658c7 7.0/en/os/SRPMS/xchat-1.8.7-1.70.0.src.rpm
e6f6e39866ea16e685e40d0aefea8d3a 7.0/en/os/alpha/xchat-1.8.7-1.70.0.alpha.rpm
f86ff922b3983fcc466c809026d2e46f 7.0/en/os/i386/xchat-1.8.7-1.70.0.i386.rpm
097d9021c9a71802e6500e8b517afab4 7.1/en/os/SRPMS/xchat-1.8.7-1.71.0.src.rpm
561f00afdd626a0bff8adc0f0eae62a6 7.1/en/os/alpha/xchat-1.8.7-1.71.0.alpha.rpm
a7623f3a3962701985ffdaca0398edc5 7.1/en/os/i386/xchat-1.8.7-1.71.0.i386.rpm
6e6c9835b80644a8e720a7947dcc4af2 7.1/en/os/ia64/xchat-1.8.7-1.71.0.ia64.rpm
742b12acb62b256309223076098b8169 7.2/en/os/SRPMS/xchat-1.8.7-1.72.0.src.rpm
749cc3d90b7e7a8446b444446855b672 7.2/en/os/i386/xchat-1.8.7-1.72.0.i386.rpm
1beaae5afb495e11aa532bb7f76faa47 7.2/en/os/ia64/xchat-1.8.7-1.72.0.ia64.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0006
http://marc.theaimsgroup.com/?l=bugtraq&m=101060676210255
Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
_______________________________________________
Redhat-watch-list mailing list
To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list
|
|
Go to the Top of This SecurityTracker Archive Page
|
