Bugtraq mailing list archives
More Detailed Info on the BitchX Format Bugs
From: RoboHak () PROTOVISION ORG (RoboHak)
Date: Fri, 7 Jul 2000 04:06:29 -0700
I've seen a lot of incorrect patches and information floating around, so I decided I should write up something to keep people correctly informed. The play by play: The bug was reported to me by eTs@efnet around 3am PDT on July 3rd. As soon as I he told me about channels with %s, %n, etc. crashing the client on an invite, I knew it was a format problem similar to the old ban bug BitchX had, or the recent wu-ftpd bug. I fixed the invite code and found that the kill code had the same problem. I tested the patch and sent it to eTs, and then started offering it through cdcc/xdcc. I also made a 75p3 patch since the 1.0c16 patch wouldn't apply cleanly to it. The bug seems to have appeared during the 75 alpha versions, so all 75 and 1.0 versions through 1.0c16 have the bug. Since I also work on EPIC, I checked to make sure this was a BitchX specific problem, and it was. About an hour after I made the patch available, one of the #BitchX@efnet ops (who will remain nameless) tried the bug on #BitchX. At that point the bug became publicly known. The news of the bug seemed to spread quickly around efnet, as I started getting requests for the patch from many other channels. After some code auditing I found some other format bugs that only effected local commands. I had other things I had to do, and since the bugs were only locally exploitable, I waited a few hours until panasync (Colten Edwards) showed up on irc. The local bugs were not as simple to fix, so we discused the best way to go about fixing them. Once we had all the bugs we could find fixed, panasync commited them to our CVS repository. Summary: The bug effects all versions of BitchX from 75 through 1.0c16, and does not effect EPIC or any other clients I know of. The invite parsing is the easiest to exploit, but the bug also exists in the kill parsing. The patch existed before the bug was publicly known. There were also locally exploitable format bugs, but they have been fixed now. The next version of BitchX will include all of these fixes, and they have been applied to the CVS repository. Hopefully this clears up any confusion or misinformation about these bugs. If there are any other questions, feel free to ask me via email or on irc (RoboHak@efnet). -- RoboHak RoboHak () protovision org | RoboHak () mediaone net -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT d-(--) s++:-- a-- C+++(++++) UL++++ UB++++ P+@ L+++(++++) E- W+++(--)$ N+@ o? K w--- O-- M-- V-- PS+ PE Y++@ PGP++@ t+ 5(+) X+@ R tv+@ b++@ DI+++ D++@ G e h! r-- y-- ------END GEEK CODE BLOCK------
Current thread:
- ftpd and setproctitle() Theo de Raadt (Jul 06)
- Re: ftpd and setproctitle() Kris Kennaway (Jul 06)
- More Detailed Info on the BitchX Format Bugs RoboHak (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs RoboHak (Jul 09)
- opieftpd setproctitle() patches Kris Kennaway (Jul 10)
- Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability Ussr Labs (Jul 10)
- Security Update: Denial of Service against irc-BX Technical Support (Jul 07)
- Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies Lincoln Yeoh (Jul 08)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: ftpd and setproctitle() D. J. Bernstein (Jul 07)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- Re: ftpd and setproctitle() Firstname Lastname (Jul 10)
- BitchX update Vincent Danen (Jul 07)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
(Thread continues...)