XChat 2.8.4-1 - Multiple Vulnerabilities Mar 28 2008 04:37PM
evilcry gmail com
1) Infos


Date : 2008-03-23

Product : XChat

Version : 2.8.4-1

Vendor : http://www.silverex.org/news/

Vendor Status :

2007-12-?? Not Informed!

2008-01-?? Vendor contacted!

2008-03-28 No reply from vendor. Published!

Description :

XChat, is one of the most popular IRC clients for Unix-like systems.

It is also available for Microsoft Windows and Mac OS X.

silverex.org done an unofficial free X-Chat built for Windows,

compiled on Windows XP SP2 with Microsoft Visual Studio .NET 2003

Enterprise Architect C/C++ compiler.

Discovered/Provided By :

Giuseppe `Evilcry` Bonfa' - http://evilcry.altervista.org

Omni - http://omni.playhack.net

E-mail :


omnipresent[at]NOSPAM-email[dot]it - omni[at]NOSPAM-playhack[dot]net

2) Security Issues


--- [ Password Disclosure Vulnerability ] ---


XChat 2.8.4-1 is prone to a Password Disclosure Vulnerability that could

expose XChat users to a leak of Sensitive Informations, such as the NickServ

and Server Password, allowing User Impersonation.

XChat leaves User's Passwords in clear in memory, an attacker could carve with a

Process Memory Dump of the Xchat process, and next by identifing some costants

string it's possible, with some byte displacement, to retrive the passwords.

--- [ PoC ] ---


If a user has saved him/her own NickServ password or

Server Password a malicious person can launch a Process Memory Dumper

and look through the dumped memory and with a simple

string searching he/she can retrieve user password / server password.

Useful keyword:

ns identify

WHOIS %2 %2





--- [ Local DoS ] ---


A local DoS (Denial of Service) Vulnerability has been found

in XChat 2.8.4-1 (unofficial).

This vulnerability can be exploited by a malicious person by a simple

click on the xchat's Icon in the Try-bar.

After the click on that icon xchat will crash.

Windows API used to put the application in the tray bar: Shell_NotifyIcon .

Info registers:

EDI: 0x7ffd6000

EBX: 0x0012d8e8

EIP: 0x7c91eb94

ESI: 0x00000000

ECX: 0x00001000

EBP: 0x0012d95c

EAX: 0x01180000

EDX: 0x7c91eb94

--- [ Patch ] ---


- No patch available from the vendor.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus