Re: Possible hole in xchat

From: Ron DuFresne (dufresne@winternet.com)
Date: 01/02/02


Date: Tue, 1 Jan 2002 21:45:24 -0600 (CST)
From: Ron DuFresne <dufresne@winternet.com>
To: SirExar@crazy-horse.net


As per the bitchx discussion, probably not, unless the /exec -o function
can be interjected remotely by outsiders, else it would be at best a self
exploit situation. now, if this /exec -o function can be amassed via tty's
or pty's by another user on the system, or some other remote vector, then
there is an issue.

Thanks,

Ron DuFresne

On Tue, 1 Jan 2002 SirExar@crazy-horse.net wrote:

> Slackware 8.0
>
> Xchat 1.8.5
>
> When you excute a command using exec -o in xchat, the command is excuted
> and the output sent to the current window.
> If you excute a command of a lengthy nature, such as 5000 characters : )
> Xchat seg faults, this could lead to possible buffer overflow problems,
> because the memory address is rewritten.
> I used perl -e 'print "A" x 5000' to cause the fault (/exec -o perl -e
> 'print "A" x 5000') which should produced an EIP of 0x41414141.
> (Hex A)
>
> GNU gdb 5.0
> Copyright 2000 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-slackware-linux"...
> (gdb) r
> Starting program: /usr/bin/xchat
> [New Thread 1024 (LWP 14486)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1024 (LWP 14486)]
> 0x80993b0 in handle_command (
> cmd=0x41414141 <Address 0x41414141 out of bounds>, sess=0x41414141,
> history=1094795585, nocommand=1094795585) at outbound.c:3390
> 3390 outbound.c: No such file or directory.
> (gdb)
>
>
> Im not sure if its exploitable or even a problem but i thought it was
> worth a try.
>
> -exar
>
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.



Relevant Pages

  • Re: Fedora 9
    ... GNU gdb Fedora ... This is free software: you are free to change and redistribute it. ... There is NO WARRANTY, to the extent permitted by law. ... Program received signal SIGSEGV, Segmentation fault. ...
    (Fedora)
  • Re: Fedora 9
    ... GNU gdb Fedora ... This is free software: you are free to change and redistribute it. ... There is NO WARRANTY, to the extent permitted by law. ... Program received signal SIGSEGV, Segmentation fault. ...
    (Fedora)
  • Re: Fedora 9
    ... GNU gdb Fedora ... This is free software: you are free to change and redistribute it. ... There is NO WARRANTY, to the extent permitted by law. ... Program received signal SIGSEGV, Segmentation fault. ...
    (Fedora)
  • Stability issues / UFS based panic on recent CURRENT (03/22)
    ... Copyright 2004 Free Software Foundation, ... GDB is free software, covered by the GNU General Public License, and you are ... There is absolutely no warranty for GDB. ... #0 doadump at pcpu.h:246 ...
    (freebsd-current)
  • 2 core dumps
    ... GNU gdb 6.1.1 ... Copyright 2004 Free Software Foundation, ... There is absolutely no warranty for GDB. ... #0 doadump at pcpu.h:195 ...
    (freebsd-current)