oss-sec mailing list archives

CVE Request -- KVIrc -- Remote CTCP commands execution via specially-crafted CTCP parameter

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 28 Jul 2010 10:52:15 +0200

Hi Steve,

  user with nickname 'unic0rn' reported:
    [1] https://svn.kvirc.de/kvirc/ticket/858

a deficiency in the way KVIrc IRC client extracted the "next" CTCP parameter from message
pointer. A remote, authenticated attacker, valid KVIrc user, could send a specially-crafted
DCC Client-To-Client Protocol (CTCP) message, like:

/ctcp nickname DCC GET\rQUIT\r
/ctcp nickname DCC GET\rPRIVMSG\40#channel\40:epic\40fail\r

which could lead to / allow remote (KVIrc) CTCP commands execution. Different vulnerability
than CVE-2010-2451:
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2451
and CVE-2010-2452:
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2452

Upstream patch:
  [3] https://svn.kvirc.de/kvirc/changeset/4693

Workaround: (from [1])
  /option boolNotifyFailedDccHandshakes 0

References:
  [4] http://bugs.gentoo.org/show_bug.cgi?id=330111

Could you please allocate a CVE id for this?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- KVIrc -- Remote CTCP commands execution via specially-crafted CTCP parameter Jan Lieskovsky (Jul 28)
- Re: CVE Request -- KVIrc -- Remote CTCP commands execution via specially-crafted CTCP parameter Josh Bressers (Jul 29)