Re: Possible hole in xchat
From: Ron DuFresne (dufresne@winternet.com)Date: 01/02/02
- Previous message: Rémi Cohen-Scali: "Re: blackshell tool1: SSHD vulnerability scanner"
- In reply to: SirExar@crazy-horse.net: "Possible hole in xchat"
- Next in thread: Korhan GURLER: "Re: Possible hole in xchat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Jan 2002 21:45:24 -0600 (CST) From: Ron DuFresne <dufresne@winternet.com> To: SirExar@crazy-horse.net
As per the bitchx discussion, probably not, unless the /exec -o function
can be interjected remotely by outsiders, else it would be at best a self
exploit situation. now, if this /exec -o function can be amassed via tty's
or pty's by another user on the system, or some other remote vector, then
there is an issue.
Thanks,
Ron DuFresne
On Tue, 1 Jan 2002 SirExar@crazy-horse.net wrote:
> Slackware 8.0
>
> Xchat 1.8.5
>
> When you excute a command using exec -o in xchat, the command is excuted
> and the output sent to the current window.
> If you excute a command of a lengthy nature, such as 5000 characters : )
> Xchat seg faults, this could lead to possible buffer overflow problems,
> because the memory address is rewritten.
> I used perl -e 'print "A" x 5000' to cause the fault (/exec -o perl -e
> 'print "A" x 5000') which should produced an EIP of 0x41414141.
> (Hex A)
>
> GNU gdb 5.0
> Copyright 2000 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-slackware-linux"...
> (gdb) r
> Starting program: /usr/bin/xchat
> [New Thread 1024 (LWP 14486)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1024 (LWP 14486)]
> 0x80993b0 in handle_command (
> cmd=0x41414141 <Address 0x41414141 out of bounds>, sess=0x41414141,
> history=1094795585, nocommand=1094795585) at outbound.c:3390
> 3390 outbound.c: No such file or directory.
> (gdb)
>
>
> Im not sure if its exploitable or even a problem but i thought it was
> worth a try.
>
> -exar
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
- Previous message: Rémi Cohen-Scali: "Re: blackshell tool1: SSHD vulnerability scanner"
- In reply to: SirExar@crazy-horse.net: "Possible hole in xchat"
- Next in thread: Korhan GURLER: "Re: Possible hole in xchat"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
