Home page logo

bugtraq logo Bugtraq mailing list archives

Xchat /dns command execution vulnerability
From: SpaceWalker <spacewalker () altern org>
Date: Wed, 27 Mar 2002 19:20:48 +0100

Xchat - Remote command execution

name            : Xchat
date            : 27/3/2002
description     : Xchat is a graphical IRC client widely used in the linux and *bsd
severity        : Low risk
homepage        : www.xchat.org
versions        : probably all
Bug description :

There is an issue by the way xchat handle the /exec command, and more
accuratly in the /dns command.
the /dns should resolve the host of somebody, issuing the command
"/dns some_nick"
and executes
"%s %s",prefered dns program, hostname of the person

the body of the cmd_dns() function contains this, in common/outbound.c line 1474
sprintf (tbuf, "/exec %s %s", prefs.dnsprogram, nick);
handle_command (tbuf, sess, 0, 0);

and far away, at line 1863 in the cmd_exec() function
execl ("/bin/sh", "sh", "-c", cmd, 0);
not any caracter are stripped out of cmd : if you can force a server to
respond a dns with ";DISPLAY=localhost:0.0;xterm"
the command passed to the execl will be
which will run arbitrary command.
Anyway, the executed command are printed to the channel just before
To exploit the hole, the attacker may force a server to respond to a whois
command with a malformed dns.
So, two conditions to exploit the vuln:
* The cible must be on your own patched server
* He musts run the /dns command on someone

Solution        :
For now, don't go on unknown servers, while a patch is being coded.
Generaly, it's a bad idea to go on an unknown server with xchat. It trusts
too much the protocols conventions and may be vulnerable in some strcpy()s
(like in the example).

Spacewalker <spacewalker () altern org>

  By Date           By Thread  

Current thread:
  • Xchat /dns command execution vulnerability SpaceWalker (Mar 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]