muh IRC Log Format String Vulnerability
BID:1665
Info
muh IRC Log Format String Vulnerability
| Bugtraq ID: | 1665 |
| Class: | Input Validation Error |
| CVE: |
CVE-2000-0857 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 09 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Discussed in a message posted to BugTraq on September 9, 2000 by Maxime Henrion <[email protected]>. |
| Vulnerable: |
Sebastian Kienzl muh 2.0 5d |
| Not Vulnerable: | |
Discussion
Solution / Fix
muh IRC Log Format String Vulnerability
Solution:
Patch (from a BugTraq message by Kris Kennaway <[email protected]>):
--- src/muh.c.orig Sun Mar 19 04:08:27 2000
+++ src/muh.c Sat Sep 9 21:32:15 2000
@@ -575,7 +575,7 @@
if( strcmp( param2 + 2, "USERINFO\1" ) == 0 )
irc_notice( &c_server, nick, USERINFOREPLY );
if( strncmp( param2 + 2, "PING", 4 ) == 0 ) {
- if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, param2 + 1 );
+ if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, "%s", param2 + 1 );
}
if( strcmp( param2 + 2, "CLIENTINFO\1" ) == 0 )
irc_notice( &c_server, nick, CLIENTINFOREPLY );
@@ -591,7 +591,7 @@
}
else { /* normale message/notice */
if( !is_ignore( hostname, IGNORE_MESSAGE ) && status.allowreply ) {
- if( cfg.awaynotice ) irc_notice( &c_server, nick, cfg.awaynotice );
+ if( cfg.awaynotice ) irc_notice( &c_server, nick, "%s", cfg.awaynotice );
add_ignore( hostname, 120, IGNORE_MESSAGE );
status.allowreply = 0;
timers.reply = 0;
@@ -841,7 +841,7 @@
s = ( char * )malloc( 1024 );
while( fgets( s, 1023, messagelog ) ) {
if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s ) - 1 ] = 0;
- irc_notice( &c_client, status.nickname, s );
+ irc_notice( &c_client, status.nickname, "%s", s );
}
FREESTRING( s );
Vendor-Supplied Patch:
The vendor is aware of the vulnerability as of September 11, 2000.
According to the vendor's web page <http://mind.riot.org/muh/>, a patch will be released soon.
FreeBSD:
See advisory FreeBSD-SA-00:57 listed in Credit section.
Sebastian Kienzl muh 2.0 5d
Solution:
Patch (from a BugTraq message by Kris Kennaway <[email protected]>):
--- src/muh.c.orig Sun Mar 19 04:08:27 2000
+++ src/muh.c Sat Sep 9 21:32:15 2000
@@ -575,7 +575,7 @@
if( strcmp( param2 + 2, "USERINFO\1" ) == 0 )
irc_notice( &c_server, nick, USERINFOREPLY );
if( strncmp( param2 + 2, "PING", 4 ) == 0 ) {
- if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, param2 + 1 );
+ if( strlen( param2 + 1 ) > 6 ) irc_notice( &c_server, nick, "%s", param2 + 1 );
}
if( strcmp( param2 + 2, "CLIENTINFO\1" ) == 0 )
irc_notice( &c_server, nick, CLIENTINFOREPLY );
@@ -591,7 +591,7 @@
}
else { /* normale message/notice */
if( !is_ignore( hostname, IGNORE_MESSAGE ) && status.allowreply ) {
- if( cfg.awaynotice ) irc_notice( &c_server, nick, cfg.awaynotice );
+ if( cfg.awaynotice ) irc_notice( &c_server, nick, "%s", cfg.awaynotice );
add_ignore( hostname, 120, IGNORE_MESSAGE );
status.allowreply = 0;
timers.reply = 0;
@@ -841,7 +841,7 @@
s = ( char * )malloc( 1024 );
while( fgets( s, 1023, messagelog ) ) {
if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s ) - 1 ] = 0;
- irc_notice( &c_client, status.nickname, s );
+ irc_notice( &c_client, status.nickname, "%s", s );
}
FREESTRING( s );
Vendor-Supplied Patch:
The vendor is aware of the vulnerability as of September 11, 2000.
According to the vendor's web page <http://mind.riot.org/muh/>, a patch will be released soon.
FreeBSD:
See advisory FreeBSD-SA-00:57 listed in Credit section.
Sebastian Kienzl muh 2.0 5d
-
Kris Kennaway
Patch against muh.c
http://www.securityfocus.com/data/vulnerabilities/patches/muh.patch