vulnwatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

from [starcadi] [Permanent Link][Original]
To: vulnwatch <vulnwatch@vulnwatch.org>
Subject: [VulnWatch] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability
From: starcadi <starcadi@gmail.com>
Date: Sat, 17 Mar 2007 19:31:18 +0100
Delivered-to: sp-com-lists@consult.net
Delivered-to: vulnwatch-list@securepoint.com
Delivered-to: mailing list vulnwatch@vulnwatch.org
Delivered-to: moderator for vulnwatch@vulnwatch.org
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ro1bvn6dJKW335kCrGN6gDJiTBO+6c6mS/2JkmVDmgiK8IF7Sv1mL2bNoWm+YwJGFL1mKaZlhRktDD7WL5T8gZu5Hx4afI/Eg89Z+K7WmJ/e94QQXODcwV7yoOFm1vdJqiTjuE1WwXBEwjf9L6uwQs8D3HjCjHperYdPdHxoHwM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=bxdZDORusOJcfv1HAIsdlZ8+H+dsXMs1GPtA3Cy6g5XEwWPQp7HxQ+hSwY19tYXHXA5VBL2rpYaalDrP+1P7J1KIKqMUBXlLbH1jIRw1LgtoTcmo47/MPAvYQQdI4aT+JOlDQiMo3YJuXfwdH9NeNhl6jZBTlnPKySiM5MMMO/A=
List-help: <mailto:vulnwatch-help@vulnwatch.org>
List-post: <mailto:vulnwatch@vulnwatch.org>
List-subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org>
List-unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org>
Mailing-list: contact vulnwatch-help@vulnwatch.org; run by ezmlm 
Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

Description:

Rhapsody is a text console IRC client for Unix operating systems. It
is small, fast, portable, easy to use and full featured. An intuitive
menu-driven user interface makes rhapsody ideal for beginner to
intermediate users.
Found buffer overflow in various functions.
source: http://sourceforge.net/projects/rhapsody/

Source error:

#define MAXDATASIZE 1024
char nick[MAXDATASIZE];

- command request overflow

if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){
        return(E_NONE);
}

- "connect" and "server" request overflow

if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){
        pnum = sscanf(parameters, "%s %d", server, &port);
        if (pnum < 1){
                vprint_all("Usage: /%s <server> [port]\n", command);
                return(E_OTHER);
        }

- "nick" request overflow

else if (strcasecmp(command, "nick") == 0){
        pnum = sscanf(parameters, "%s", nick);
        if (pnum < 1){
                vprint_all("Usage: /nick <nick>\n");
        }
        else{
                sendcmd_server(currentserver, "NICK", nick, "", 
currentserver->nick);
                strcpy(currentserver->lastnick, currentserver->nick);
                strcpy(currentserver->nick, nick);

        }
        return(E_OTHER);
}

- "ctcp" request overflow

else if (strcasecmp(command, "ctcp") == 0){
        if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){
                sendcmd_server(currentserver, "PRIVMSG",
create_ctcp_message(message), nick, currentserver->nick);
        }
        else vprint_all("Usage: /ctcp <nick> <message>|<command>\n");
        return(E_OTHER);
}

- "dcc chat/send" request overflow

if (strcasecmp(subcommand, "chat") == 0){
        pnum = sscanf(subparameters, "%s %[^\n]", nick, message);
        if (pnum < 1){
                vprint_all("Usage: /dcc chat <nick>\n");
                return(E_OTHER);
        }

- "notice" request overflow

else if (strcasecmp(command, "notice") == 0){
        pnum = sscanf(parameters, "%s %[^\n]", nick, message);
        if (pnum < 2){
                vprint_all("Usage: /%s <nick>|<channel> <message>\n", command);
                return(E_OTHER);
        }
        sendcmd_server(currentserver, "NOTICE", message, nick, 
currentserver->nick);
        return(E_OTHER);
}

- "msg" and "message" request overflow

else if (strcasecmp(command, "msg") == 0 || strcasecmp(command,
"message") == 0){
        pnum = sscanf(parameters, "%s %[^\n]", nick, message);
        if (pnum < 2){
                vprint_all("Usage: /%s <nick> <message>\n", command);
                return(E_OTHER);
        }
        else if (strcmp(nick, currentserver->nick) == 0) print_all("You can
not chat with yourself.\n");
        else if (!currentserver->active) print_all("Must be connected to a
server to chat.\n");
        else {
                sendcmd_server(currentserver, "PRIVMSG", message, nick, 
currentserver->nick);
                return(E_OTHER);
        }
}

- "chat" and "query" request overflow

else if (strcasecmp(command, "chat") == 0 || strcasecmp(command,
"query") == 0){
        chat *C;
                
        pnum = sscanf(parameters, "%s %[^\n]", nick, message);
        if (pnum < 1){
                vprint_all("Usage: /%s <nick> <message>\n", command);
                return(E_OTHER);
        }

- "me" and "ctcp" request format string

comm.c: 472
char *create_ctcp_message(char *message, ...){
        static char buffer[MAXDATASIZE];
       va_list ap;
        char string[MAXDATASIZE];

        va_start(ap, message);
        vsprintf(string, message, ap);
       va_end(ap);

        sprintf(buffer, "%c%s%c", 1, string, 1);
        return(buffer);
}

and other: whois, mode, topic..

--
.original http://intel.shacknet.nu/
~ starcadi
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability, starcadi <=
Previous by Date:  RE: Your Opinion, Jim Harrison
Next by Date:  Re: Your Opinion, Forrest J. Cavalier III
Previous by Thread:  Your Opinion +, Mark Litchfield
Next by Thread:  Conflict of Interest - My summary, Mark Litchfield
Indexes:  [Date] [Thread] [Top] [All Lists]