FiSH是很多流行的irc客户端所使用的用于实现加密的插件。 FiSH的xchat插件实现上存在多个缓冲区溢出漏洞,远程攻击者可能利用这些漏洞控制用户机器。 FiSH的xchat插件代码在处理入站数据时会注册4个函数: xchat_hook_server(ph, "PRIVMSG", XCHAT_PRI_NORM, decrypt_incoming, 0); xchat_hook_server(ph, "NOTICE", XCHAT_PRI_NORM, notice_received, 0); xchat_hook_server(ph, "TOPIC", XCHAT_PRI_NORM, decrypt_incoming, 0); xchat_hook_server(ph, "NICK", XCHAT_PRI_NORM, nick_changed, 0); xchat_hook_server(ph, "332", XCHAT_PRI_NORM, decrypt_topic_332, 0); 在所有这些函数中: int decrypt_incoming(char *word[], char *word_eol[], void *userdata) { unsigned char *msg_ptr, contactName[100]="", from_nick[50], msg_event[100]="", psyNetwork[12]; ... if(word[1][0] == ':') ExtractRnick(from_nick, word[1]); ... } 这里ExtractRnick()执行的是: int ExtractRnick(char *Rnick, char *incoming_msg) { int k=0; if(*incoming_msg == ':') incoming_msg++; while(*incoming_msg!='!' && *incoming_msg!=0) { Rnick[k]=*incoming_msg; incoming_msg++; k++; }...
FiSH是很多流行的irc客户端所使用的用于实现加密的插件。 FiSH的xchat插件实现上存在多个缓冲区溢出漏洞,远程攻击者可能利用这些漏洞控制用户机器。 FiSH的xchat插件代码在处理入站数据时会注册4个函数: xchat_hook_server(ph, "PRIVMSG", XCHAT_PRI_NORM, decrypt_incoming, 0); xchat_hook_server(ph, "NOTICE", XCHAT_PRI_NORM, notice_received, 0); xchat_hook_server(ph, "TOPIC", XCHAT_PRI_NORM, decrypt_incoming, 0); xchat_hook_server(ph, "NICK", XCHAT_PRI_NORM, nick_changed, 0); xchat_hook_server(ph, "332", XCHAT_PRI_NORM, decrypt_topic_332, 0); 在所有这些函数中: int decrypt_incoming(char *word[], char *word_eol[], void *userdata) { unsigned char *msg_ptr, contactName[100]="", from_nick[50], msg_event[100]="", psyNetwork[12]; ... if(word[1][0] == ':') ExtractRnick(from_nick, word[1]); ... } 这里ExtractRnick()执行的是: int ExtractRnick(char *Rnick, char *incoming_msg) { int k=0; if(*incoming_msg == ':') incoming_msg++; while(*incoming_msg!='!' && *incoming_msg!=0) { Rnick[k]=*incoming_msg; incoming_msg++; k++; } Rnick[k]=0; if (*Rnick < '0') return FALSE; else return TRUE; } 由于word[1]来自用户,因此可能出现栈溢出。其他3个函数也存在类似问题: int notice_received(char *word[], char *word_eol[], void *userdata) { unsigned int i; unsigned char hisPubKey[300], contactName[25]="", from_nick[25]=""; ... if(ExtractRnick(from_nick, word[1])==0) return XCHAT_EAT_NONE; ... } int nick_changed(char *word[], char *word_eol[], void *userdata) { unsigned char contactName[100]="", theKey[500]="", ini_nicktracker[10]; ... if( *ini_nicktracker=='0' || *ini_nicktracker=='N' || *ini_nicktracker=='n' || (ExtractRnick(contactName, word[1])==0) || (stricmp(contactName, word[3]+1)==0)) return XCHAT_EAT_NONE; ... } int decrypt_topic_332(char *word[], char *word_eol[], void *userdata) { unsigned char contactName[100]=""; ... strcpy(contactName, word[4]); ... } FiSH FiSH for XChat 0.98 FiSH FiSH for mIRC 1.29 FiSH FiSH for irssi 0.99 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href="http://fish.sekure.us/" target="_blank">http://fish.sekure.us/</a>
