Bugtraq mailing list archives
BitchX - more on format bugs?
From: zinx () LINUXFREAK COM (Forever shall I be.)
Date: Mon, 3 Jul 2000 10:34:09 -0500
Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has fallen victim to the infamous format bug... All unpatched versions of BitchX are apparently vulnerable (patch follows).. I've done a bit of messing around myself, and I think this bug can be used to execute arbitrary code (via %n method outlined in previous articles) -- Over here the user string (channel argument to invite) is around the 24th argument (aka %24$n) when compiled with gcc 2.95.2 on x86 boxes running glibc 2.1.3, it varies if your setup is different of course.. Now.. That's not to say the exploit will be portable (it won't be), or easy (it probably won't be difficult, but it won't be easy -- you can only use characters valid to channel names, though there are a lot.. and on some servers, you have to prefix it with #, which makes big endian exploits near impossible) and by the way, I didn't find the bug, nor create the patch.. That's all folks.. -- Zinx Verituse <zinx () linuxfreak com> gpg (id 921B1558) (fp 5746 73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558) <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: 1.0c16-format.patch </UL>
Current thread:
- Re: WuFTPD: Providing *remote* root since at least1994 Alan J Rosenthal (Jun 30)
- <Possible follow-ups>
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Kragen Sitaker (Jun 30)
- XFree86 4.0.1 and /tmp Joseph S. Myers (Jul 02)
- BitchX - more on format bugs? Forever shall I be. (Jul 03)
- BitchX exploit possibly waiting to happen, certain DoS bert hubert (Jul 03)
- Re: BitchX exploit possibly waiting to happen, certain DoS Daniel Jacobowitz (Jul 05)
- remote crash BitchX 1.0c16 Colten Edwards (Jul 03)
- Re: remote crash BitchX 1.0c16 Moniz, Troy (Jul 05)
- Oracle Web Listener for AIX DoS Peter Grundl (Jul 04)
- Remote DoS Attack in LocalWEB HTTP Server 1.2.0 Vulnerability Ussr Labs (Jul 04)
- Recovering Passwords in Visible Systems' Razor Clifford, Shawn A (Jul 05)
- proftp advisory lamagra (Jul 05)
- Re: proftp advisory Max Vision (Jul 05)
- Re: proftp advisory Daniel Jacobowitz (Jul 05)
(Thread continues...)