Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052995 漏洞类型
发布时间 2007-03-21 更新时间 2007-03-21
CVE编号 CVE-2007-1502
CVE-2007-1503
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007030145
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

Description:

Rhapsody is a text console IRC client for Unix operating systems. It
is small, fast, portable, easy to use and full featured. An intuitive
menu-driven user interface makes rhapsody ideal for beginner to
intermediate users.
Found buffer overflow in various functions.
source: http://sourceforge.net/projects/rhapsody/

Source error:

#define MAXDATASIZE 1024
char nick[MAXDATASIZE];

- command request overflow

if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){
	return(E_NONE);
}

- "connect" and "server" request overflow

if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){
	pnum = sscanf(parameters, "%s %d", server, &port);
	if (pnum < 1){
		vprint_all("Usage: /%s <server> [port]\n", command);
		return(E_OTHER);
	}

- "nick" request overflow

else if (strcasecmp(command, "nick") == 0){
	pnum = sscanf(parameters, "%s", nick);
	if (pnum < 1){
		vprint_all("Usage: /nick <nick>\n");
	}
	else{
		sendcmd_server(currentserver, "NICK", nick, "", currentserver->nick);
		strcpy(currentserver->lastnick, currentserver->nick);
		strcpy(currentserver->nick, nick);

}
	return(E_OTHER);
}

- "ctcp" request overflow

else if (strcasecmp(command, "ctcp") == 0){
	if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){
		sendcmd_server(currentserver, "PRIVMSG",
create_ctcp_message(message), nick, currentserver->nick);
	}
	else vprint_all("Usage: /ctcp <nick> <message>|<command>\n");
	return(E_OTHER);
}

- "dcc chat/send" request overflow

if (strcasecmp(subcommand, "chat") == 0){
	pnum = sscanf(subparameters, "%s %[^\n]", nick, message);
	if (pnum < 1){
		vprint_all("Usage: /dcc chat <nick>\n");
		return(E_OTHER);
	}

- "notice" request overflow

else if (strcasecmp(command, "notice") == 0){
	pnum = sscanf(parameters, "%s %[^\n]", nick, message);
	if (pnum < 2){
		vprint_all("Usage: /%s <nick>|<channel> <message>\n", command);
		return(E_OTHER);
	}
	sendcmd_server(currentserver, "NOTICE", message, nick, currentserver->nick);
	return(E_OTHER);
}

- "msg" and "message" request overflow

else if (strcasecmp(command, "msg") == 0 || strcasecmp(command,
"message") == 0){
	pnum = sscanf(parameters, "%s %[^\n]", nick, message);
	if (pnum < 2){
		vprint_all("Usage: /%s <nick> <message>\n", command);
		return(E_OTHER);
	}
	else if (strcmp(nick, currentserver->nick) == 0) print_all("You can
not chat with yourself.\n");
	else if (!currentserver->active) print_all("Must be connected to a
server to chat.\n");
	else {
		sendcmd_server(currentserver, "PRIVMSG", message, nick, currentserver->nick);
		return(E_OTHER);
	}
}

- "chat" and "query" request overflow

else if (strcasecmp(command, "chat") == 0 || strcasecmp(command,
"query") == 0){
	chat *C;
		
	pnum = sscanf(parameters, "%s %[^\n]", nick, message);
	if (pnum < 1){
		vprint_all("Usage: /%s <nick> <message>\n", command);
		return(E_OTHER);
	}

- "me" and "ctcp" request format string

comm.c: 472
char *create_ctcp_message(char *message, ...){
	static char buffer[MAXDATASIZE];
        va_list ap;
	char string[MAXDATASIZE];

va_start(ap, message);
	vsprintf(string, message, ap);
        va_end(ap);

sprintf(buffer, "%c%s%c", 1, string, 1);
	return(buffer);
}

and other: whois, mode, topic..

-- 
.original http://intel.shacknet.nu/
~ starcadi