COMMAND
ircd
SYSTEMS AFFECTED
BitchX
PROBLEM
Rick Jansen found following. Because of a simple
/invite nickname #%s%s%s%s%s%s%s%s%s
BitchX will segfault and coredump. AFAIK, v1.0c16 is vulnerable,
other versions may be vulnerable as well.
'typo' added that this is a fatal and exploitable bug. And the
rest of bitchx's code doesn't look much better.. lets examine at
the rest of parse.c, just looking for completly similiar issues
with logmsg:
parse.c:1033: warning: TESO: Insufficient Format arguments: logmsg(4/5).
parse.c:1100: warning: TESO: Insufficient Format arguments: logmsg(4/5).
parse.c:1033: logmsg(LOG_INVITE, from, 0, invite_channel);
parse.c:1100: logmsg(LOG_KILL, from, 0, ArgList[1]?ArgList[1]:"(No Reason)");
BitchX privileged port dcc protection is susceptable to
overflowing the port argument (meaning: its ineffectual).
Under FreeBSD 4, /invite-ing somebody to a channel with %s%s%s%s
in the name causes a segmentation violation on the remote client.
Linux appears not to suffer from this problem, but this is
probably just a lucky break. Linux (RedHat 6.1, Debian Frozen)
does die if you invite somebody to channel %n%n%n%n.
As many system administrators, including very senior ones, leave
their client open 24 hours a day, possibly in a screen session,
this might be a real problem waiting to happen.
The bug effects all versions of BitchX from 75 through 1.0c16, and
does not effect EPIC or any other clients. The invite parsing is
the easiest to exploit, but the bug also exists in the kill parsing.
The patch existed before the bug was publicly known. There were
also locally exploitable format bugs, but they have been fixed now.
The next version of BitchX will include all of these fixes, and
they have been applied to the CVS repository.
SOLUTION
A temporary solution is to switch to another client, like ircII,
which is considered by many to be the more karmic client anyway.
A patch has been available on ftp.bitchx.org:
ftp://ftp.bitchx.org/pub/BitchX/source/1.0c16-format.patch
ftp://ftp.bitchx.org/pub/BitchX/source/75p3-format.patch
Fixed packages for Debian 2.2 are also available, and fixed
packages for Debian 2.1 are forthcoming.
As workaround issue the following bitchx command (e.g. as part of
a startup script):
/ignore * invites
which will disable processing of channel invitation messages.
For FreeBSD:
1) Upgrade your entire ports collection and rebuild the bitchx
port.
2) Deinstall the old package and install a new package dated
after the correction date (2000-07-03), obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/bitchx-1.0c16.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/bitchx-1.0c16.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/bitchx-1.0c16.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/bitchx-1.0c16.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/bitchx-1.0c16.tar.gz
3) download a new port skeleton for the bitchx port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
For RedHat (Red Hat Powertools 6.2):
sparc: ftp://updates.redhat.com/powertools/6.2/sparc/BitchX-1.0c16-1.sparc.rpm
alpha: ftp://updates.redhat.com/powertools/6.2/alpha/BitchX-1.0c16-1.alpha.rpm
i386: ftp://updates.redhat.com/powertools/6.2/i386/BitchX-1.0c16-1.i386.rpm
sources: ftp://updates.redhat.com/powertools/6.2/SRPMS/BitchX-1.0c16-1.src.rpm
For Conectiva Linux users of BitchX must upgrade:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/BitchX-75p3-9cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wserv-1.13-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/BitchX-75p3-9cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wserv-1.13-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/BitchX-75p3-9cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wserv-1.13-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/BitchX-75p3-9cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wserv-1.13-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/BitchX-75p3-9cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wserv-1.13-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/SRPMS/BitchX-75p3-9cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/SRPMS/BitchX-75p3-9cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/BitchX-75p3-9cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/BitchX-75p3-9cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/BitchX-75p3-9cl.src.rpm
For Mandrake Linux:
6.1/RPMS/BitchX-75p3-12mdk.i586.rpm
6.1/SRPMS/BitchX-75p3-12mdk.src.rpm
7.0/RPMS/BitchX-75p3-12mdk.i586.rpm
7.0/SRPMS/BitchX-75p3-12mdk.src.rpm
7.1/RPMS/BitchX-75p3-12mdk.i586.rpm
7.1/SRPMS/BitchX-75p3-12mdk.src.rpm
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/irc-BX-75p3-5.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/irc-BX-75p3-5.src.rpm
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
