COMMAND

	Xchat /dns command execution vulnerability

SYSTEMS AFFECTED

	probably all XChat versions

PROBLEM

	Spacewalker     found      following      bug,      regarding      Xchat
	[http://www.xchat.org], a graphical IRC client :
	

	There is an issue by the way xchat handle the /exec  command,  and  more
	accuratly in the /dns command. the  /dns  should  resolve  the  host  of
	somebody, issuing the  command  \"/dns  some_nick\"  and  executes  \"%s
	%s\",prefered dns program, hostname of the person
	

	the body of the cmd_dns() function contains this,  in  common/outbound.c
	line 1474
	

	{

	sprintf (tbuf, \"/exec %s %s\", prefs.dnsprogram, nick);

	handle_command (tbuf, sess, 0, 0);

	}

	

	

	and far away, at line 1863 in the cmd_exec() function
	

	execl (\"/bin/sh\", \"sh\", \"-c\", cmd, 0);

	

	not any caracter are stripped out of cmd : if you can force a server  to
	respond a dns with \";DISPLAY=localhost:0.0;xterm\" the  command  passed
	to the execl will be
	

	\"host;DISPLAY=localhost:0.0;xterm\"

	

	which will run arbitrary  command.  Anyway,  the  executed  command  are
	printed to the channel just before execution.
	

	To exploit the hole, the attacker may force a server  to  respond  to  a
	whois command with a malformed dns.
	

	So, two conditions to exploit the vuln:
	

	 * The cible must be on your own patched server

	 * He musts run the /dns command on someone

	

SOLUTION

	For now, don\'t go on unknown servers, while a  patch  is  being  coded.
	Generaly, it\'s a bad idea to go on an unknown  server  with  xchat.  It
	trusts too much the protocols conventions and may be vulnerable in  some
	strcpy()s (like in the example).