Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16399
HistoryMar 18, 2007 - 12:00 a.m.

Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

2007-03-1800:00:00
vulners.com
9

Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

Description:

Rhapsody is a text console IRC client for Unix operating systems. It
is small, fast, portable, easy to use and full featured. An intuitive
menu-driven user interface makes rhapsody ideal for beginner to
intermediate users.
Found buffer overflow in various functions.
source: http://sourceforge.net/projects/rhapsody/

Source error:

#define MAXDATASIZE 1024
char nick[MAXDATASIZE];

  • command request overflow

if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){
return(E_NONE);
}

  • "connect" and "server" request overflow

if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){
pnum = sscanf(parameters, "%s %d", server, &port);
if (pnum < 1){
vprint_all("Usage: /%s <server> [port]\n", command);
return(E_OTHER);
}

  • "nick" request overflow

else if (strcasecmp(command, "nick") == 0){
pnum = sscanf(parameters, "%s", nick);
if (pnum < 1){
vprint_all("Usage: /nick <nick>\n");
}
else{
sendcmd_server(currentserver, "NICK", nick, "", currentserver->nick);
strcpy(currentserver->lastnick, currentserver->nick);
strcpy(currentserver->nick, nick);

    }
    return&#40;E_OTHER&#41;;

}

  • "ctcp" request overflow

else if (strcasecmp(command, "ctcp") == 0){
if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){
sendcmd_server(currentserver, "PRIVMSG",
create_ctcp_message(message), nick, currentserver->nick);
}
else vprint_all("Usage: /ctcp <nick> <message>|<command>\n");
return(E_OTHER);
}

  • "dcc chat/send" request overflow

if (strcasecmp(subcommand, "chat") == 0){
pnum = sscanf(subparameters, "%s %[^\n]", nick, message);
if (pnum < 1){
vprint_all("Usage: /dcc chat <nick>\n");
return(E_OTHER);
}

  • "notice" request overflow

else if (strcasecmp(command, "notice") == 0){
pnum = sscanf(parameters, "%s %[^\n]", nick, message);
if (pnum < 2){
vprint_all("Usage: /%s <nick>|<channel> <message>\n", command);
return(E_OTHER);
}
sendcmd_server(currentserver, "NOTICE", message, nick, currentserver->nick);
return(E_OTHER);
}

  • "msg" and "message" request overflow

else if (strcasecmp(command, "msg") == 0 || strcasecmp(command,
"message") == 0){
pnum = sscanf(parameters, "%s %[^\n]", nick, message);
if (pnum < 2){
vprint_all("Usage: /%s <nick> <message>\n", command);
return(E_OTHER);
}
else if (strcmp(nick, currentserver->nick) == 0) print_all("You can
not chat with yourself.\n");
else if (!currentserver->active) print_all("Must be connected to a
server to chat.\n");
else {
sendcmd_server(currentserver, "PRIVMSG", message, nick, currentserver->nick);
return(E_OTHER);
}
}

  • "chat" and "query" request overflow

else if (strcasecmp(command, "chat") == 0 || strcasecmp(command,
"query") == 0){
chat *C;

    pnum = sscanf&#40;parameters, &quot;&#37;s &#37;[^&#92;n]&quot;, nick, message&#41;;
    if &#40;pnum &lt; 1&#41;{
            vprint_all&#40;&quot;Usage: /&#37;s &lt;nick&gt; &lt;message&gt;&#92;n&quot;, command&#41;;
            return&#40;E_OTHER&#41;;
    }
  • "me" and "ctcp" request format string

comm.c: 472
char *create_ctcp_message(char *message, …){
static char buffer[MAXDATASIZE];
va_list ap;
char string[MAXDATASIZE];

    va_start&#40;ap, message&#41;;
    vsprintf&#40;string, message, ap&#41;;
    va_end&#40;ap&#41;;

    sprintf&#40;buffer, &quot;&#37;c&#37;s&#37;c&quot;, 1, string, 1&#41;;
    return&#40;buffer&#41;;

}

and other: whois, mode, topic…

–
.original http://intel.shacknet.nu/
~ starcadi