Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability

2007.03.21
Credit: starcadi
Risk: High
Local: Yes
Remote: Yes
CWE: N/A

Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability Description: Rhapsody is a text console IRC client for Unix operating systems. It is small, fast, portable, easy to use and full featured. An intuitive menu-driven user interface makes rhapsody ideal for beginner to intermediate users. Found buffer overflow in various functions. source: http://sourceforge.net/projects/rhapsody/ Source error: #define MAXDATASIZE 1024 char nick[MAXDATASIZE]; - command request overflow if (!sscanf(buffer, "/%s %[^\n]", command, parameters)){ return(E_NONE); } - "connect" and "server" request overflow if (strcasecmp(command, "connect") == 0 || strcasecmp(command, "server") == 0){ pnum = sscanf(parameters, "%s %d", server, &port); if (pnum < 1){ vprint_all("Usage: /%s <server> [port]\n", command); return(E_OTHER); } - "nick" request overflow else if (strcasecmp(command, "nick") == 0){ pnum = sscanf(parameters, "%s", nick); if (pnum < 1){ vprint_all("Usage: /nick <nick>\n"); } else{ sendcmd_server(currentserver, "NICK", nick, "", currentserver->nick); strcpy(currentserver->lastnick, currentserver->nick); strcpy(currentserver->nick, nick); } return(E_OTHER); } - "ctcp" request overflow else if (strcasecmp(command, "ctcp") == 0){ if (sscanf(parameters, "%s %[^\n]", nick, message) == 2){ sendcmd_server(currentserver, "PRIVMSG", create_ctcp_message(message), nick, currentserver->nick); } else vprint_all("Usage: /ctcp <nick> <message>|<command>\n"); return(E_OTHER); } - "dcc chat/send" request overflow if (strcasecmp(subcommand, "chat") == 0){ pnum = sscanf(subparameters, "%s %[^\n]", nick, message); if (pnum < 1){ vprint_all("Usage: /dcc chat <nick>\n"); return(E_OTHER); } - "notice" request overflow else if (strcasecmp(command, "notice") == 0){ pnum = sscanf(parameters, "%s %[^\n]", nick, message); if (pnum < 2){ vprint_all("Usage: /%s <nick>|<channel> <message>\n", command); return(E_OTHER); } sendcmd_server(currentserver, "NOTICE", message, nick, currentserver->nick); return(E_OTHER); } - "msg" and "message" request overflow else if (strcasecmp(command, "msg") == 0 || strcasecmp(command, "message") == 0){ pnum = sscanf(parameters, "%s %[^\n]", nick, message); if (pnum < 2){ vprint_all("Usage: /%s <nick> <message>\n", command); return(E_OTHER); } else if (strcmp(nick, currentserver->nick) == 0) print_all("You can not chat with yourself.\n"); else if (!currentserver->active) print_all("Must be connected to a server to chat.\n"); else { sendcmd_server(currentserver, "PRIVMSG", message, nick, currentserver->nick); return(E_OTHER); } } - "chat" and "query" request overflow else if (strcasecmp(command, "chat") == 0 || strcasecmp(command, "query") == 0){ chat *C; pnum = sscanf(parameters, "%s %[^\n]", nick, message); if (pnum < 1){ vprint_all("Usage: /%s <nick> <message>\n", command); return(E_OTHER); } - "me" and "ctcp" request format string comm.c: 472 char *create_ctcp_message(char *message, ...){ static char buffer[MAXDATASIZE]; va_list ap; char string[MAXDATASIZE]; va_start(ap, message); vsprintf(string, message, ap); va_end(ap); sprintf(buffer, "%c%s%c", 1, string, 1); return(buffer); } and other: whois, mode, topic.. -- .original http://intel.shacknet.nu/ ~ starcadi


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top