BitchX IRC Client "/INVITE" Format String Vulnerability
BID:1436
Info
BitchX IRC Client "/INVITE" Format String Vulnerability
| Bugtraq ID: | 1436 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 05 2000 12:00AM |
| Updated: | Jul 05 2000 12:00AM |
| Credit: | Posted to BugTraq on July 3, 2000 by Zinx Verituse <[email protected]>. Reported to the BitchX developers by eTs on efnet. |
| Vulnerable: |
BitchX IRC Client 1.0 c16 BitchX IRC Client 75p3 BitchX IRC Client 75p1 |
| Not Vulnerable: | |
Discussion
BitchX IRC Client "/INVITE" Format String Vulnerability
BitchX IRC clients, versions 75 up to and including 1.0c16, are vulnerable to a Denial of Service and possible remote execution of code. By /invite-ing someone to a channel name containing formatting characters (%s, %n, etc) an IRC user can cause the targetted user's BitchX client to seg-fault. This is caused by the fact that bitchx passes the channel name from the invite into the logging function as its format string [which is used directly in a vsprintf], rather than as an argument to the format. This also affects the KILL command.
BitchX IRC clients, versions 75 up to and including 1.0c16, are vulnerable to a Denial of Service and possible remote execution of code. By /invite-ing someone to a channel name containing formatting characters (%s, %n, etc) an IRC user can cause the targetted user's BitchX client to seg-fault. This is caused by the fact that bitchx passes the channel name from the invite into the logging function as its format string [which is used directly in a vsprintf], rather than as an argument to the format. This also affects the KILL command.
References
BitchX IRC Client "/INVITE" Format String Vulnerability
References:
References: