IRC-Junkie.org – IRC News

All about Internet Relay Chat

Nettalk fixes crash bug and releases 6.6.4

Nettalk, an opensource IRC client available for Windows, was updated to version 6.6.4.

The main reason behind this update was a bug that has been found in version 6.5.6 of the client: a crash that can be triggered from remote using CTCP messages.

Whenever the first character of a message is an ASCII 1 the client crashes. According to Ntalk author Mirici the bug can not be exploited to cause more harm than the client crashing but he has released a fixed version of it.

Other reasons why users of Nettalk might want to upgrade is the “improved DCC function that is much faster compared to other clients” and the “improved and fixed handling of Chinese character handling using both UTF-8 and ASCII”.

Thanks go to Elmaron for the tip and Mirici for quickly fixing the bug!

UnrealIRCd updates their IRCd to 3.2.8.1

The UnrealIRCd project released a bugfix release of version 3.2.8 and the current release is now 3.2.8.1.

The bugfix became necessary as a crash has been found in the option allow::options::noident.

In a short interview developer nate explains how the crash is being triggered and how to avoid it:

There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault.  The main ways of resolving it are updating to 3.2.8.1 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).

It is vulnerable in past versions as well before 3.2.8 as well.

Being asked how far back exactly nate says the exploit exists “at least back towards 3.2.3 (before that we wouldn’t support anyways due to exploits way back then)”.

Thanks for the tip goes to Reed Loden and to nate for taking the time to answer my questions!

phpDenora fixes XSS vulnerability

After getting notified about a Cross-site scripting vulnerability in phpDenora irc-junkie quickly tried to get in touch with the project.

The vulnerability – which generally can be used to steal cookies – exists at least in phpDenoras then latest stable release, version 1.2.2 and “possibly all other versions” says developer Hal9000.

Due to lacking sanitization it was possible to exploit the vulnerability using specially crafted channelnames that would be visible on several pages of phpDenora – according to phpDenoras Hal9000 on the “channel listing, the channel stats page, the user stats page and the top channel list on the homepage – if the channel is in the top X channels”.

To test if your installation of phpDenora is vulnerable you simply can /join #<script>alert(‘XSS’)</script> and then visit one of the mentioned pages – if you’re getting a popup, you should upgrade.

But, since channels names usually are pretty limited in length and usable charset, serious threats like stolen cookies are unlikely to occur. Nonetheless this recent upgrade is a recommended one.

The download for phpDenora 1.2.3 can be found here.

Thanks go to Shawn for reporting the vulnerability, to w00t for making the initial intermediary contact to Hal9000 and of course to Hal9000 for being so quick to fix the vulnerability.

KVIrc 3.4.2 URI handler in combination with IE exploitable [Updated]

Not even a month ago, it was KVIrc 3.4.0 in it’s Windows release which has been vulnerable to what has been at least a DoS/crash.

As of yesterday, there have been new exploits posted on the usual sites around the internet – but this time it is not the fault of KVIrc’s URI handler, because the bug is only exploitable if the malicious link is opened with Microsoft’s Internet Explorer and is possible because of its unique way to handle double quotes (“) in links.

This time it is not possible to just let the client of a victim crash but to execute a command of the attackers choice – opening a whole can of worms as one can execute each and any command with the privileges of the attacked user.

In an interview conducted on IRC with members of the KVIrc team they said that “the ‘vulnerability’ is present in any programs URI handling engine until they decide to work around IE’s oddities”, which, according to this posting on their mailinglist, involves using DDE to pass links back and forth between applications.

Since only a few members of the KVIrc team do have the possibility to compile the client for the Windows operating system it might take a little while until a fix pops up, but they assured IRC-Junkie that this issue is being worked on.

Update 11/22/2008, ~8 hours later: There is an updated package released for testing which contains “all the latest fixes for the bugs found in 3.4.2.”. Link to the download is in this mailinglist posting.

Quassel IRC CTCP Command Injection Vulnerability

Another day, another IRC client vulnerability…

Researchers have found a remotely exploitable vulnerability in the Quassel IRC client.

Quoted from the projects homepage:

Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie found an issue with CTCP handling in Quassel Core that allows attackers to send arbitrary IRC messages on your behalf. This issue is present in all versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381).

Details on the vulnerability are provided on the webpage of the exploits author:

A CTCP ping where the value contains a CTCP quoted newline (’20′ + ‘n’) will let the Quassel core reply with a message containing an unquoted newline (‘\n’). The IRC server interprets this as a command separator.

Having a newline seperator injected in your IRC session means that anybody that sends a carefully crafted, malicious CTCP ping to your vulnerable client will be able to add an arbitrary command to it that will be executed with your privileges by the client – just as if you had typed it yourself.

The vulnerability is patched in version 0.3.0.3 which is available for download here.

As noted on the homepage, some distributions already have the new version available in their package repositories, other should update manually.

Gentoo and *buntu already ship the new version, with more distributions hopefully following ASAP. If you still use a 0.2-rc1 core, please consider updating to 0.3.x as soon as possible. Note that we provide unstable, but fixed packages for Debian now, thanks to dileX.