Home page logo

bugtraq logo Bugtraq mailing list archives

Pirch 98 Link Handling Buffer Overflow
From: David Rude II <david () thegain com>
Date: 21 Jun 2002 08:48:48 -0000

Author:   David D. Rude II david () thegain com
Release Date:   June 20th 2002
Systems Affected:   All versions of Windows Capable of running this 
Severity:   Medium
Credits:   Cryptix from irc.pulltheplug.com
This bug was discovered a very long time ago by cryptix. When I was made 
aware of the problem which existed in pirch 98 I tried to contact the 
pirch developers to no avail. So I decided to keep this bug unreleased for 
quite some time. The reason I am releasing this advisory now is because a 
new version of pirch has been released and can be downloaded at pirch.com 
and it is no longer vulnerable to this kind of attack. I might have made a 
bad decision in keeping this advisory to myself however it was my choice 
at the time. 
Pirch is a irc client which many windows users use as a replacement for 
MIRC and other windows irc clients. It runs on many platforms of windows.
A buffer overflow exists in pirch 98 which could potentially allow remote 
execution of arbitrary code. The overflow exists in the way that pirch 98 
handles links. When I say links I mean hyperlinks to other channels and 
websites and possibly other forms of hyperlinks. The problem occurs when a 
long buffer is sent in either a channel or a private message. As far as I 
can tell the problem does not exist within the DCC Chat feature. 
To properly overflow the pirch98 irc client the buffer must be formated 
correctly and there must be a specific amount of links in the buffer. 
Proof of Concept:
If you run the a irc client (anyone you wish) and also run the pirch98 
client you can test this out for your self.
Here is an example of the properly formated buffer:
#t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t 
#i #n #g #t #e #s #t #i #n #g ........<lots of channel links>
As you will discover to get the correct amount of hyper links to overflow 
the client you need to make the links as short as possible. 
Exploiting this vulnerability is theoretically possible. However it would 
be very difficult to do. In what area are you going to place the 
shellcode? That maybe the toughest question to answer in this situation. 
Under the right conditions it is certainly plausable to think that 
exploitation can occur. 
The Fix:
The most obvious solution here is to upgrade to the latest version of 
pirch. It can be downloaded at www.pirch.com.

  By Date           By Thread  

Current thread:
  • Pirch 98 Link Handling Buffer Overflow David Rude II (Jun 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]