Author: David D. Rude II david@thegain.com Release Date: June 20th 2002 Systems Affected: All versions of Windows Capable of running this software. Severity: Medium Credits: Cryptix from irc.pulltheplug.com Introduction: This bug was discovered a very long time ago by cryptix. When I was made aware of the problem which existed in pirch 98 I tried to contact the pirch developers to no avail. So I decided to keep this bug unreleased for quite some time. The reason I am releasing this advisory now is because a new version of pirch has been released and can be downloaded at pirch.com and it is no longer vulnerable to this kind of attack. I might have made a bad decision in keeping this advisory to myself however it was my choice at the time. Pirch is a irc client which many windows users use as a replacement for MIRC and other windows irc clients. It runs on many platforms of windows. Details: A buffer overflow exists in pirch 98 which could potentially allow remote execution of arbitrary code. The overflow exists in the way that pirch 98 handles links. When I say links I mean hyperlinks to other channels and websites and possibly other forms of hyperlinks. The problem occurs when a long buffer is sent in either a channel or a private message. As far as I can tell the problem does not exist within the DCC Chat feature. To properly overflow the pirch98 irc client the buffer must be formated correctly and there must be a specific amount of links in the buffer. Proof of Concept: If you run the a irc client (anyone you wish) and also run the pirch98 client you can test this out for your self. Here is an example of the properly formated buffer: #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t #i #n #g ........<lots of channel links> As you will discover to get the correct amount of hyper links to overflow the client you need to make the links as short as possible. Exploitation: Exploiting this vulnerability is theoretically possible. However it would be very difficult to do. In what area are you going to place the shellcode? That maybe the toughest question to answer in this situation. Under the right conditions it is certainly plausable to think that exploitation can occur. The Fix: The most obvious solution here is to upgrade to the latest version of pirch. It can be downloaded at www.pirch.com.