Gaim IRC Local Account Information Leakage
'ken'_at_FTU
Date: 11/09/03
- Previous message: Micheal Cottingham: "Re: Fw: sql injection in phpbb"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 09 Nov 2003 15:42:39 -0500 To: bugtraq@securityfocus.com
When logging into IRC via gaim, gaim registers the user with their valid
local account id as well as the nick chosen by the end user. This is
revealed when an attacker asks for information regarding the victim.
Given that the host name (DNS/IP) is also registered, an attacker now
knows both the location of the host and a valid account name.
The offending function call is g_get_user_name() within the function
irc_login_cb in irc.c. This pulls the local account name.
I suggest giving the user a chance to replace it with a name of their
own choosing, as well as having a default fake name for those users who
are technically challenged. :)
I reported it to one of the main developers via IM but was told that it
is just part of the IRC protocol and could not be changed.
This effects version 0.72 which is the latest. I assume it effects early
versions too, but I did not check due to time constrains.
Workaround:
Offending code in irc.c:
buf = irc_format(irc, "vvvv:", "USER",
strlen(username) ? username :
----------> g_get_user_name(),
hostname, irc->server,
gc->account->alias && *gc->account->alias ?
gc->account->alias : IRC_DEFAULT_ALIAS);
Replace with:
buf = irc_format(irc, "vvvv:", "USER",
strlen(username) ? username :
----------> "Your new 9 char spoofed IRC name here" ,
hostname, irc->server,
gc->account->alias && *gc->account->alias ?
gc->account->alias : IRC_DEFAULT_ALIAS);
Cheers,
'ken'@FTU
-- 'ken'@FTU <ken@ftusecurity.com>
- Previous message: Micheal Cottingham: "Re: Fw: sql injection in phpbb"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
