Well, I've not seen this posted to bugtraq yet, so here goes... BitchX has
fallen victim to the infamous format bug... All unpatched versions of
BitchX are apparently vulnerable (patch follows)..
I've done a bit of messing around myself, and I think this bug can be used
to execute arbitrary code (via %n method outlined in previous articles) --
Over here the user string (channel argument to invite) is around the 24th
argument (aka %24$n) when compiled with gcc 2.95.2 on x86 boxes running
glibc 2.1.3, it varies if your setup is different of course..
Now.. That's not to say the exploit will be portable (it won't be), or
easy (it probably won't be difficult, but it won't be easy -- you can only
use characters valid to channel names, though there are a lot.. and on
some servers, you have to prefix it with #, which makes big endian
exploits near impossible)
and by the way, I didn't find the bug, nor create the patch..
That's all folks..
--
Zinx Verituse <zinx_at_linuxfreak.com>
gpg (id 921B1558) (fp 5746 73A1 2184 A27A 9EC0 EDCC E132 BCEF 921B 1558)
<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: 1.0c16-format.patch
</UL>
Received on Jul 05 2000
Intro
