Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible hole in xchat

From: Ron DuFresne <dufresne () winternet com>
Date: Tue, 1 Jan 2002 21:45:24 -0600 (CST)

As per the bitchx discussion, probably not, unless the /exec -o function
can be interjected remotely by outsiders, else it would be at best a self
exploit situation. now, if this /exec -o function can be amassed via tty's
or pty's by another user on the system, or some other remote vector, then
there is an issue.

Thanks,

Ron DuFresne

On Tue, 1 Jan 2002 SirExar () crazy-horse net wrote:


Slackware 8.0

Xchat 1.8.5

When you excute a command using exec -o in xchat, the command is excuted 
and the output sent to the current window.
If you excute a command of a lengthy nature, such as 5000 characters : )
 Xchat seg faults, this could lead to possible buffer overflow problems, 
because the memory address is rewritten.
I used perl -e 'print "A" x 5000' to cause the fault (/exec -o perl -e 
'print "A" x 5000') which should produced an EIP of 0x41414141.
(Hex A)

GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r
Starting program: /usr/bin/xchat
[New Thread 1024 (LWP 14486)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 14486)]
0x80993b0 in handle_command (
    cmd=0x41414141 <Address 0x41414141 out of bounds>, sess=0x41414141,
    history=1094795585, nocommand=1094795585) at outbound.c:3390
3390    outbound.c: No such file or directory.
(gdb)


Im not sure if its exploitable or even a problem but i thought it was 
worth a try.

-exar




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.
Previous By Date Next
Previous By Thread Next

Current thread: