NEW ircii/bitchx(/epic?) overflow

[paul () BOEHM ORG (Paul Boehm)]

Hi,
i think i've found a new (exploitable) bug in ircii and the likes.

here's a short description on what i did:
i telneted onto an irc server (hb.irc.at) and let someone dcc
chat me. this looked somehow like this:

:forcer!forcer () ppp09 junior-net de
        PRIVMSG flowmne :DCC CHAT chat 3500393993 28219

the first number stands for the longip(a shorter form for ips) and the second
for the port the dcc chat initiator is listening on. Now i telneted to
ppp09.junior-net.de port 28219 and sent about 2000 A's and then a \n
after that the connection was closed and forcer's irc client exited
with (EOF from Client).

We tested this with BitchX 74p2,74p4 and ircII 4.4.
All of them showed the same symptoms..

It looks as though this is exploitable
and you can do your standard "execute arbitary code" exploit after being
dcc chat. I don't know if this works too if you've chat an ircII/BitchX(/Epic?)
user but i see no reason why it shouldn't.

Special thanks go out to forcer from #linux.de who helped
me testing the bug and currently is working on a patch for it.

bye,
    paul(infected on irc)

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  Name: Paul S. Boehm               ||  Freelance Security Consulter.
    Email: paul () is destructive org  ||  PGPkey available at:
       Url: http://paul.boehm.org/  ||  http://paul.boehm.org/paul-pgp.asc
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
There is is no reason for any individual to have a computer in their home.
              --Ken Olsen (Digital Corp CEO) 1977.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-