Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Instant Messaging/IRC/Chat)  >   Light Vendors:   Connell, J. S.
Light IRC Script for EPIC4 May Execute Arbitrary Scripting Code When Joining an IRC Channel That Has a Malicious Channel Name
SecurityTracker Alert ID:  1005114
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 22 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.7.30p5; prior to 2.8pre10
Description:   A vulnerability was reported in the Light Internet Relay Chat (IRC) script for EPIC4. A remote user can execute nearly-arbitrary code on the system.

A remote user can reportedly create an IRC channel where the channel name contains embedded EPIC4 script so that the script will be executed when a Light user joins the channel. The script may expand variables and call EPIC built-in functions and user-defined aliases and functions. According to the report, built-in commands cannot be executed.

The vendor notes that EPIC4 with *no* scripts loaded is also vulnerable to this attack, but *only* if the STATUS_DOES_EXPANDOS setting is changed from its default to ON.

Impact:   A remote user may be able to cause arbitrary scripting code to be executed by a target user when the target user joins an IRC channel.
Solution:   The vendor has released fixed versions (2.7.30p5 and 2.8pre10), available at:

Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Light IRC Script for EPIC4 May Execute Arbitrary Scripting Code When Joining an IRC Channel That Has a Malicious Channel Name
Debian has released a fix.

 Source Message Contents

Subject:  Light Security Advisory: Remotely-exploitable code execution


- -------

All versions of Light prior to 2.7.30p5 (on the 2.7 branch) or 2.8pre10 (on
the 2.8 branch) running under any version of EPIC4 on any platform are
vulnerable to a remotely-exploitable bug that can execute nearly-arbitrary
code.  All Light users are very strongly urged to upgrade to stable release
2.7.30p5 or beta 2.8pre10 immediately.  See below for URLs, MD5 hashes, and
other information.

- ------

I've recently discovered that the IRC script for EPIC4 that I maintain is
vulnerable to a fairly easy remote attack. If a malicious user can convince
a user to join a channel whose name contains embedded EPIC4 script, several
different code paths inside Light will cause that script to be executed.

The attack is mollified by four factors:

1. A user has to be incautious enough to join a channel with embedded code.

2. The embedded code is limited to expanding variables and calling EPIC
built-in functions and user-defined aliases and functions -- built-in
commands cannot be executed.

3. Light does not contain any features for automatically joining channels.  
However, it should be pointed out that auto-join-on-invite can be achieved
by simply adding 'on invite * join $1' to one's .ircrc.

4. An unmodified copy of Light will not permit you to run it as root,
slightly limiting potential damage. Yes, you *are* an idiot if you IRC as
root, and this advisory should demonstrate why!

One might be tempted to add a fifth factor -- that channel names cannot
contain spaces -- but EPIC provides built-in functions that provide a
space-free and opaque (to the naked eye) 'transport armour'.

It should also be noted that EPIC4 with *no* scripts loaded is also
vulnerable to this attack, but *only* if the STATUS_DOES_EXPANDOS setting
is changed from its default to ON.  (STATUS_DOES_EXPANDOS is, to my mind,
an inherently dangerous feature with valid, but rare, uses.  Its existence
typifies the UNIX philosophy: "Here's the gun, the ammo, and the sights,
and if you blow your foot off with them, don't come crying to me.")

Because other IRC scripts may well be vulnerable to this attack or to
other, similar attacks, I do not wish to provide examples of how to exploit
this, although it should be obvious to anyone familiar with EPIC4

- --------------

Light 2.7.30p5 and Light 2.8pre10 have been released, which resolve this
issue.  The tarballs are available for download from:

Updated Debian packages will also available shortly.  To the best of my
knowledge, Light is not distributed by any other vendors.

You can find me on IRC as Liandrin, on Undernet in #epic+light, or on EFnet
in #epic.


   6dffeddbb059a145dba2694fd2d04d6e  Light-2.7.30p5.tar.bz2
   28c6f204e92dd6a1f89724e9e7af80e1  Light-2.7.30p5.tar.bz2.asc

   4a815f15c522e016a39c42fc96cb33ad  Light-2.7.30p5.tar.gz
   570dde757ed65a2b133f24c3406a9399  Light-2.7.30p5.tar.gz.asc

   6f201aa5c2fc729766a5b11840bf07a5  Light-2.8pre10.tar.bz2
   2d463273545694ef9862a90d3acbbe1c  Light-2.8pre10.tar.bz2.asc

   c1dde9996bb63be29cc1cfcd56479675  Light-2.8pre10.tar.gz
   c56873d39d67243f19874c3c21bff0b2  Light-2.8pre10.tar.gz.asc

(Note to Macintosh and Windows users: the .asc files must be transferred in
BINARY mode for the md5sum to compute correctly. Users of Cygwin's md5sum
command should use the -b (binary mode) flag.)

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC