Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

from [starcadi] Network Security [Permanent Link]
Subject: [VulnWatch] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability
Date: Sat, 17 Mar 2007 19:31:18 +0100 
Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

Description:

Rhapsody is a text console IRC client for Unix operating systems. It
is small, fast, portable, easy to use and full featured. An intuitive
menu-driven user interface makes rhapsody ideal for beginner to
intermediate users.
Found buffer overflow in various functions.
source: http://sourceforge.net/projects/rhapsody/

Source error:

#define MAXDATASIZE 1024
char nick[MAXDATASIZE];

- command request overflow

if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){
        return(E_NONE);
}

- "connect" and "server" request overflow

if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){
        pnum = sscanf(parameters, "%s %d", server, &port);
        if (pnum < 1){
                vprint_all("Usage: /%s <server> [port]\n", command);
                return(E_OTHER);
        }

- "nick" request overflow

else if (strcasecmp(command, "nick") == 0){
        pnum = sscanf(parameters, "%s", nick);
        if (pnum < 1){
                vprint_all("Usage: /nick <nick>\n");
        }
        else{
                sendcmd_server(currentserver, "NICK", nick, "", 
currentserver->nick);
                strcpy(currentserver->lastnick, currentserver->nick);
                strcpy(currentserver->nick, nick);

        }
        return(E_OTHER);
}

- "ctcp" request overflow

else if (strcasecmp(command, "ctcp") == 0){
        if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){
                sendcmd_server(currentserver, "PRIVMSG",
create_ctcp_message(message), nick, currentserver->nick);
        }
        else vprint_all("Usage: /ctcp <nick> <message>|<command>\n");
        return(E_OTHER);
}

- "dcc chat/send" request overflow

if (strcasecmp(subcommand, "chat") == 0){
        pnum = sscanf(subparameters, "%s %[^\n]", nick, message);
        if (pnum < 1){
                vprint_all("Usage: /dcc chat <nick>\n");
                return(E_OTHER);
        }

- "notice" request overflow

else if (strcasecmp(command, "notice") == 0){
        pnum = sscanf(parameters, "%s %[^\n]", nick, message);
        if (pnum < 2){
                vprint_all("Usage: /%s <nick>|<channel> <message>\n", command);
                return(E_OTHER);
        }
        sendcmd_server(currentserver, "NOTICE", message, nick, 
currentserver->nick);
        return(E_OTHER);
}

- "msg" and "message" request overflow

else if (strcasecmp(command, "msg") == 0 || strcasecmp(command,
"message") == 0){
        pnum = sscanf(parameters, "%s %[^\n]", nick, message);
        if (pnum < 2){
                vprint_all("Usage: /%s <nick> <message>\n", command);
                return(E_OTHER);
        }
        else if (strcmp(nick, currentserver->nick) == 0) print_all("You can
not chat with yourself.\n");
        else if (!currentserver->active) print_all("Must be connected to a
server to chat.\n");
        else {
                sendcmd_server(currentserver, "PRIVMSG", message, nick, 
currentserver->nick);
                return(E_OTHER);
        }
}

- "chat" and "query" request overflow

else if (strcasecmp(command, "chat") == 0 || strcasecmp(command,
"query") == 0){
        chat *C;
                
        pnum = sscanf(parameters, "%s %[^\n]", nick, message);
        if (pnum < 1){
                vprint_all("Usage: /%s <nick> <message>\n", command);
                return(E_OTHER);
        }

- "me" and "ctcp" request format string

comm.c: 472
char *create_ctcp_message(char *message, ...){
        static char buffer[MAXDATASIZE];
       va_list ap;
        char string[MAXDATASIZE];

        va_start(ap, message);
        vsprintf(string, message, ap);
       va_end(ap);

        sprintf(buffer, "%c%s%c", 1, string, 1);
        return(buffer);
}

and other: whois, mode, topic..

--
.original http://intel.shacknet.nu/
~ starcadi

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability, starcadi <=
Previous by Date:  Re: Your Opinion, Casper . Dik
Next by Date:  Re: Your Opinion, Forrest J. Cavalier III
Previous by Thread:  Your Opinion +, Mark Litchfield
Next by Thread:  Conflict of Interest - My summary, Mark Litchfield
Indexes:  [Date] [Thread] [Top] [All Lists]