XChat 2.8.4-1 - Multiple Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XChat 2.8.4-1 - Multiple Vulnerabilities
From: evilcry@xxxxxxxxx
Date: 28 Mar 2008 16:37:52 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

1) Infos
---------
Date : 2008-03-23
Product : XChat
Version : 2.8.4-1
Vendor : http://www.silverex.org/news/
Vendor Status :
2007-12-?? Not Informed!
2008-01-?? Vendor contacted!
2008-03-28 No reply from vendor. Published!


Description :
XChat, is one of the most popular IRC clients for Unix-like systems. 
It is also available for Microsoft Windows and Mac OS X.

silverex.org done an unofficial free X-Chat built for Windows,
compiled on Windows XP SP2 with Microsoft Visual Studio .NET 2003 
Enterprise Architect C/C++ compiler.

Discovered/Provided By :

Giuseppe `Evilcry` Bonfa' - http://evilcry.altervista.org
Omni - http://omni.playhack.net

E-mail : 

evilcry[at]NOSPAM-gmail[dot]com
omnipresent[at]NOSPAM-email[dot]it - omni[at]NOSPAM-playhack[dot]net


2) Security Issues
-------------------

--- [ Password Disclosure Vulnerability ] ---
===============================================


XChat 2.8.4-1 is prone to a Password Disclosure Vulnerability that could 
expose XChat users to a leak of Sensitive Informations, such as the NickServ 
and Server Password, allowing User Impersonation.

XChat leaves User's Passwords in clear in memory, an attacker could carve with a
Process Memory Dump of the Xchat process, and next by identifing some costants 
string it's possible, with some byte displacement, to retrive the passwords.


--- [ PoC ] ---
===============

If a user has saved him/her own NickServ password or
Server Password a malicious person can launch a Process Memory Dumper 
and look through the dumped memory and with a simple 
string searching he/she can retrieve user password / server password.

Useful keyword:

ns identify
WHOIS %2 %2

Images:
http://omni.playhack.net/misc/FirstOccurr.png
http://omni.playhack.net/misc/SecondOccurr.png
http://omni.playhack.net/misc/NickServ.png


--- [ Local DoS ] ---
===============================================


A local DoS (Denial of Service) Vulnerability has been found 
in XChat 2.8.4-1 (unofficial).

This vulnerability can be exploited by a malicious person by a simple
click on the xchat's Icon in the Try-bar.
After the click on that icon xchat will crash.

Windows API used to put the application in the tray bar: Shell_NotifyIcon .

Info registers:

EDI: 0x7ffd6000
EBX: 0x0012d8e8
EIP: 0x7c91eb94
ESI: 0x00000000
ECX: 0x00001000
EBP: 0x0012d95c
EAX: 0x01180000
EDX: 0x7c91eb94

--- [ Patch ] ---
===============

- No patch available from the vendor.

Prev by Date: CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
Next by Date: [SECURITY] [DSA 1534-1] New iceape packages fix several vulnerabilities
Previous by thread: CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability
Next by thread: Re: XChat 2.8.4-1 - Multiple Vulnerabilities
Index(es):
- Date
- Thread