COMMAND

    ircii/bitchx (tested BitchX 74p2,74p4 and ircII 4.4)

SYSTEMS AFFECTED

    Systems running above

PROBLEM

    Paul Boehm found follwing.  Telnet onto an irc server  (hb.irc.at)
    and let someone dcc chat you.  This will look somehow like this:

        :forcer!forcer@ppp09.junior-net.de
                PRIVMSG flowmne :DCC CHAT chat 3500393993 28219

    The first number stands for the longip(a shorter form for ips) and
    the second for  the port the  dcc chat initiator  is listening on.
    Now telneting to ppp09.junior-net.de port 28219 and sending  about
    2000 A's and then  a \n after that  the connection will close  and
    forcer's irc client  will exit with  (EOF from Client).   This was
    tested with BitchX 74p2,74p4 and ircII 4.4.

    It  looks  as  though  this  is  exploitable  and  you can do your
    standard "execute arbitary code" exploit after being dcc chat.  In
    short, the IRC clients do not expect a long, non-terminated  line,
    as RFC1459 (IRC  protocl) specifies a  maximal line length  of 511
    bytes plus the newline.

SOLUTION

    Patch is done and available under:

        http://webserver.de/forcer/code/patch-ircii-4.4+noinfect

    and appended.  The problem also showed up in the ssfe frontend  to
    sirc:

        http://webserver.de/forcer/code/patch-sirc-2.211+noinfect

    The ircII maintainers  notified that the  patch won't go  into the
    client  as  it  is,  since  not  many  unices  have the snprintf()
    function.  Patch follows:

    diff -urN ircii-4.4/source/hook.c ircii-4.4-noinfect/source/hook.c
    --- ircii-4.4/source/hook.c     Mon Apr 21 08:34:00 1997
    +++ ircii-4.4-noinfect/source/hook.c    Sat May 30 20:11:28 1998
    @@ -431,7 +431,7 @@

     #ifdef HAVE_STDARG_H
            va_start(vl, format);
    -       vsprintf(buffer, format, vl);
    +       vsnprintf(buffer, BIG_BUFFER_SIZE+1, format, vl);
            va_end(vl);
     #else
            sprintf(buffer, format, arg1, arg2, arg3, arg4, arg5, arg6);