mailing list archives
Xchat /dns command execution vulnerability
From: SpaceWalker <spacewalker () altern org>
Date: Wed, 27 Mar 2002 19:20:48 +0100
Xchat - Remote command execution
name : Xchat
date : 27/3/2002
description : Xchat is a graphical IRC client widely used in the linux and *bsd
severity : Low risk
homepage : www.xchat.org
versions : probably all
Bug description :
There is an issue by the way xchat handle the /exec command, and more
accuratly in the /dns command.
the /dns should resolve the host of somebody, issuing the command
"%s %s",prefered dns program, hostname of the person
the body of the cmd_dns() function contains this, in common/outbound.c line 1474
sprintf (tbuf, "/exec %s %s", prefs.dnsprogram, nick);
handle_command (tbuf, sess, 0, 0);
and far away, at line 1863 in the cmd_exec() function
execl ("/bin/sh", "sh", "-c", cmd, 0);
not any caracter are stripped out of cmd : if you can force a server to
respond a dns with ";DISPLAY=localhost:0.0;xterm"
the command passed to the execl will be
which will run arbitrary command.
Anyway, the executed command are printed to the channel just before
To exploit the hole, the attacker may force a server to respond to a whois
command with a malformed dns.
So, two conditions to exploit the vuln:
* The cible must be on your own patched server
* He musts run the /dns command on someone
For now, don't go on unknown servers, while a patch is being coded.
Generaly, it's a bad idea to go on an unknown server with xchat. It trusts
too much the protocols conventions and may be vulnerable in some strcpy()s
(like in the example).
Spacewalker <spacewalker () altern org>
- Xchat /dns command execution vulnerability SpaceWalker (Mar 27)