In October 2006 I discovered many "now playing" scripts for various IRC
clients allow an attacker to send commands to the IRC server on behalf of the
user.
Details
=======
Many scripts for various IRC clients, that report the name of the currently
playing song in a media player on IRC share the same security bug. They don't
sanitize the name of the song before sending it to the IRC server. When a
user plays a song with a newline (LF or CR, which are both message separators
in IRC) in the name of a song, and uses such a script, the text following the
newline will be interpreted by the IRC server as another command.
Exploitation requires the attacker to trick a user into playing such a
specially crafted song, and to then use his script while the song is playing.
That makes it hard, but not impossible to exploit in practice. It results in
the ability to execute IRC commands in the client of the victim. This could
be abused, for example, to gain operator privileges on chat channels.
Because it requires so much user interaction to exploit, and the results are
limited to sending commands to IRC, I'd call this a minor problem.
Affected
========
What makes this bug noteworthy in my opinion is that it is present in *all*
scripts with this feature which were tested. They can all be exploited by the
same malicious mp3. This includes:
* irssi: from http://irssi.org/scripts/: ixmmsa.pl 0.3, l33tmusic.pl 2.00,
mpg123.pl 0.01, ogg123.pl 0.01, xmms.pl 2.0, xmms2.pl 1.1.3, xmmsinfo.pl
1.1.1.1
* XChat: many from http://xchat.org: xmms-thing 1.0, XMMS Remote Control
Script 1.07, Disrok 1.0, a2x 0.0.1, Another xmms-info script 1.0, XChat-XMMS
0.8.1, and more...
* weechat: from http://weechat.flashtux.org/: now-playing.rb, xmms.pl 1.1
* BitchX: from http://scripts.bitchx.org/: xmms.bx 1.0
* Konversation: included media script
* Many scripts for mIRC, and probably other clients too
Related bug
===========
Similarly, but worse, some scripts/plugins made for mirc don't remove |
characters, which is a command separator in mirc. This allows arbitrary
command execution (on the client, not just to the server), without needing
more user interaction then just starting to play the file. For example
http://www.winamp.com/plugins/details.php?id=187 has this problem. (That bug
was reported years ago already though.)
Irssi
=====
I now put off my reporter hat, and put on my Irssi developer hat :)
This has been fixed in all scripts on the irssi site, and irssi 0.8.11
prevents scripts for making this bug.
I'm not aware of other clients or scripts having released a fixed version.
Online version: http://wouter.coekaerts.be/site/security/nowplaying