KVIrc Failed DCC Handshake Notification Command Injection Vulnerability

2010.08.04
Credit: unic0rn
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi Steve, user with nickname 'unic0rn' reported: [1] https://svn.kvirc.de/kvirc/ticket/858 a deficiency in the way KVIrc IRC client extracted the "next" CTCP parameter from message pointer. A remote, authenticated attacker, valid KVIrc user, could send a specially-crafted DCC Client-To-Client Protocol (CTCP) message, like: /ctcp nickname DCC GET\rQUIT\r /ctcp nickname DCC GET\rPRIVMSG\40#channel\40:epic\40fail\r which could lead to / allow remote (KVIrc) CTCP commands execution. Different vulnerability than CVE-2010-2451: [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2451 and CVE-2010-2452: [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2452 Upstream patch: [3] https://svn.kvirc.de/kvirc/changeset/4693 Workaround: (from [1]) /option boolNotifyFailedDccHandshakes 0 References: [4] http://bugs.gentoo.org/show_bug.cgi?id=330111 Could you please allocate a CVE id for this? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team

References:

https://svn.kvirc.de/kvirc/ticket/858
https://svn.kvirc.de/kvirc/changeset/4693
http://openwall.com/lists/oss-security/2010/07/28/1
http://marc.info/?l=oss-security&m=128041011428629&w=2
http://www.osvdb.org/66648
http://secunia.com/advisories/40796
http://secunia.com/advisories/40727
http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044643.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044625.html
http://bugs.gentoo.org/show_bug.cgi?id=330111


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top