21809 – the epic irc client crash and can execute arbitrary code (I've sucess) while handling privmsgs from irc servers.

Bug 21809 - the epic irc client crash and can execute arbitrary code (I've sucess) while handling privmsgs from irc servers.

Summary: the epic irc client crash and can execute arbitrary code (I've sucess) while ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Chuck Short (RETIRED)

URL:	http://www.securityfocus.com/bid/7088
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-05-27 23:29 UTC by sky
Modified:	2003-07-31 17:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sky 2003-05-27 23:29:35 UTC

The PRIVMSG command is limited by irc servers and it cannot be bigger then this
limmit. But, the epic mail client, and BitchX too, dont verify the size os this
menssage.

Using evil servers or hijacking connections, is possible to send private
messages larger then alloced memory and execute commands remotly.

It's a stack based overflow (tested in epic) and it's very simple to be exploited.

Reproducible: Always
Steps to Reproduce:
1.create a bounce server (or a simple fake server)
2.connect it
3.send a larger privmsg 

Actual Results:  
there's a a public exploit for this vulnerability in
http://www.netric.be/exploits/gespuis.c

Comment 1 Chuck Short (RETIRED) gentoo-dev

2003-07-30 17:18:55 UTC

Version bump to 1.1.12 should close this bug. Renaming the ebuild works. No need to submit patch.

chuck

Comment 2 Greg Fitzgerald (RETIRED) gentoo-dev

2003-07-31 17:57:25 UTC

Version bumped. Now in cvs.