1) Infos --------- Date : 2008-03-23 Product : XChat Version : 2.8.4-1 Vendor : http://www.silverex.org/news/ Vendor Status : 2007-12-?? Not Informed! 2008-01-?? Vendor contacted! 2008-03-28 No reply from vendor. Published! Description : XChat, is one of the most popular IRC clients for Unix-like systems. It is also available for Microsoft Windows and Mac OS X. silverex.org done an unofficial free X-Chat built for Windows, compiled on Windows XP SP2 with Microsoft Visual Studio .NET 2003 Enterprise Architect C/C++ compiler. Discovered/Provided By : Giuseppe `Evilcry` Bonfa' - http://evilcry.altervista.org Omni - http://omni.playhack.net E-mail : evilcry[at]NOSPAM-gmail[dot]com omnipresent[at]NOSPAM-email[dot]it - omni[at]NOSPAM-playhack[dot]net 2) Security Issues ------------------- --- [ Password Disclosure Vulnerability ] --- =============================================== XChat 2.8.4-1 is prone to a Password Disclosure Vulnerability that could expose XChat users to a leak of Sensitive Informations, such as the NickServ and Server Password, allowing User Impersonation. XChat leaves User's Passwords in clear in memory, an attacker could carve with a Process Memory Dump of the Xchat process, and next by identifing some costants string it's possible, with some byte displacement, to retrive the passwords. --- [ PoC ] --- =============== If a user has saved him/her own NickServ password or Server Password a malicious person can launch a Process Memory Dumper and look through the dumped memory and with a simple string searching he/she can retrieve user password / server password. Useful keyword: ns identify WHOIS %2 %2 Images: http://omni.playhack.net/misc/FirstOccurr.png http://omni.playhack.net/misc/SecondOccurr.png http://omni.playhack.net/misc/NickServ.png --- [ Local DoS ] --- =============================================== A local DoS (Denial of Service) Vulnerability has been found in XChat 2.8.4-1 (unofficial). This vulnerability can be exploited by a malicious person by a simple click on the xchat's Icon in the Try-bar. After the click on that icon xchat will crash. Windows API used to put the application in the tray bar: Shell_NotifyIcon . Info registers: EDI: 0x7ffd6000 EBX: 0x0012d8e8 EIP: 0x7c91eb94 ESI: 0x00000000 ECX: 0x00001000 EBP: 0x0012d95c EAX: 0x01180000 EDX: 0x7c91eb94 --- [ Patch ] --- =============== - No patch available from the vendor.