Xchat - Remote command execution
name : Xchat
date : 27/3/2002
description : Xchat is a graphical IRC client widely used in the linux and *bsd
community
severity : Low risk
homepage : www.xchat.org
versions : probably all
Bug description :
There is an issue by the way xchat handle the /exec command, and more
accuratly in the /dns command.
the /dns should resolve the host of somebody, issuing the command
"/dns some_nick"
and executes
"%s %s",prefered dns program, hostname of the person
the body of the cmd_dns() function contains this, in common/outbound.c line 1474
{
sprintf (tbuf, "/exec %s %s", prefs.dnsprogram, nick);
handle_command (tbuf, sess, 0, 0);
}
and far away, at line 1863 in the cmd_exec() function
execl ("/bin/sh", "sh", "-c", cmd, 0);
not any caracter are stripped out of cmd : if you can force a server to
respond a dns with ";DISPLAY=localhost:0.0;xterm"
the command passed to the execl will be
"host;DISPLAY=localhost:0.0;xterm"
which will run arbitrary command.
Anyway, the executed command are printed to the channel just before
execution.
To exploit the hole, the attacker may force a server to respond to a whois
command with a malformed dns.
So, two conditions to exploit the vuln:
* The cible must be on your own patched server
* He musts run the /dns command on someone
Solution :
For now, don't go on unknown servers, while a patch is being coded.
Generaly, it's a bad idea to go on an unknown server with xchat. It trusts
too much the protocols conventions and may be vulnerable in some strcpy()s
(like in the example).
Spacewalker <spacewalker@altern.org>
