[IRCServices] Possible bug

Gastaman gastaman at azzurra.org
Fri Jan 31 16:52:06 PST 2003


You may want to take a look at the
split_buf() function in process.c, I believe
that there is a bug in how the argv[]'s are
filled that might be exploited easily on some
boxes.

Depending on what the isspace() function
considers as space (usually 7-8 characters,
including line feeds, tabs, and the like,
and not just the actual space character),
when you strpbrk() the buffer looking for
an actual space, if the result is composed
only of those other characters considered
spaces by the isspace() function, the whole
string will be skipped, and bad things can
happen.

This is easily exploitable with, say, a
//mode #channel +k $chr(9)
in mIRC.

I hope I'm wrong about this... :)

-- 
Gastaman @ irc.azzurra.org || irc.dal.net

Fan di Adachi - http://www.adachi.it
Moderatore di IAFM - it.arti.fumetti.manga