[NEWS] Light Vulnerable to Remotely Exploitable Arbitrary Code Execution

From: support@securiteam.com
Date: 08/27/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 27 Aug 2002 21:36:50 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Light Vulnerable to Remotely Exploitable Arbitrary Code Execution
------------------------------------------------------------------------

SUMMARY

All versions of Light prior to 2.7.30p5 (on the 2.7 branch) or 2.8pre10
(on the 2.8 branch) running under any version of EPIC4 on any platform are
vulnerable to a remotely exploitable bug that can execute nearly arbitrary
code. All Light users are very strongly urged to upgrade to stable release
2.7.30p5 or beta 2.8pre10 immediately. See below for URLs, MD5 hashes, and
other information.

DETAILS

J.S. Connell has recently discovered that the IRC script for EPIC4 that J.
S. maintains is vulnerable to an easy remote attack. If a malicious user
can convince a user to join a channel whose name contains embedded EPIC4
script, several different code paths inside Light will cause that script
to be executed.

The attack is mollified by four factors:
1. A user has to be incautious enough to join a channel with embedded
code.

2. The embedded code is limited to expanding variables and calling EPIC
built-in functions and user-defined aliases and functions -- built-in
commands cannot be executed.

3. Light does not contain any features for automatically joining channels.
However, it should be pointed out that auto-join-on-invite can be achieved
by simply adding 'on invite * join $1' to one's .ircrc.

4. An unmodified copy of Light will not permit you to run it as root,
slightly limiting potential damage.

One might be tempted to add a fifth factor -- that channel names cannot
contain spaces -- but EPIC provides built-in functions that provide a
space-free and opaque (to the naked eye) 'transport armour'.

It should also be noted that EPIC4 with *no* scripts loaded is also
vulnerable to this attack, but *only* if the STATUS_DOES_EXPANDOS setting
is changed from its default to ON.

Because other IRC scripts may well be vulnerable to this attack or to
other, similar attacks, J. S. does not wish to provide examples of how to
exploit this, although it should be obvious to anyone familiar with EPIC4
scripting.

Immune versions:
Light 2.7.30p5 and Light 2.8pre10 have been released, which resolve this
issue. The tarballs are available for download from:
<ftp://ftp.light.canuck.gen.nz/pub/Light/>
ftp://ftp.light.canuck.gen.nz/pub/Light/

Updated Debian packages will also available shortly. To the best of J.
S.'s knowledge, Light is not distributed by any other vendors.

You can find J. S. Connell on IRC as Liandrin, on Undernet in #epic+light,
or on EFnet in #epic.

MD5sums:
   6dffeddbb059a145dba2694fd2d04d6e Light-2.7.30p5.tar.bz2
   28c6f204e92dd6a1f89724e9e7af80e1 Light-2.7.30p5.tar.bz2.asc

   4a815f15c522e016a39c42fc96cb33ad Light-2.7.30p5.tar.gz
   570dde757ed65a2b133f24c3406a9399 Light-2.7.30p5.tar.gz.asc

   6f201aa5c2fc729766a5b11840bf07a5 Light-2.8pre10.tar.bz2
   2d463273545694ef9862a90d3acbbe1c Light-2.8pre10.tar.bz2.asc

   c1dde9996bb63be29cc1cfcd56479675 Light-2.8pre10.tar.gz
   c56873d39d67243f19874c3c21bff0b2 Light-2.8pre10.tar.gz.asc

(Note to Macintosh and Windows users: the .asc files must be transferred
in BINARY mode for the md5sum to compute correctly. Users of Cygwin's
md5sum command should use the -b (binary mode) flag.)

ADDITIONAL INFORMATION

The information has been provided by <mailto:ankh@canuck.gen.nz> J. S.
Connell.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Light Security Advisory: Remotely-exploitable code execution
    ... vulnerable to a remotely-exploitable bug that can execute nearly-arbitrary ... I've recently discovered that the IRC script for EPIC4 that I maintain is ... vulnerable to a fairly easy remote attack. ...
    (Bugtraq)
  • [Full-disclosure] Drupal Admin Password Reset via XSS
    ... There have been quite a few Cross Site Scripting (XSS) vulnerabilities ... the Drupal account page doesn't require users to enter ... This flaw, combined with a well crafted XSS attack, could be ... I have provided an example of such a script below. ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page
    ... > execute the arbitrary javascript and HTML code which the attacker ... > It is possible to display the contents transmitted from the client ... > cross-site scripting attack can be executed. ... the script will be executed when the script for an attack ...
    (Full-Disclosure)
  • (somewhat) breaking the same-origin policy by undermining dns-pinning
    ... to portscan the lan to locate intranet http servers, ... tweaking, it is also possible for the script to obtain read access, ... The basis of the attack is rather old. ... After the script has been downloaded, the attacker modifies the DNS ...
    (Bugtraq)
  • Re: Interference in FM radio reception.
    ... If you're going to sell this script, it will need drama, suspense, ... I forgot to mention that the lights were all LED lights and VERY ... calls from customers on one side of town complaining that TV channel 5 ...
    (sci.electronics.repair)