Date: Sat, 9 Sep 2000 15:53:13 +0200 From: Maxime Henrion <mux@QUALYS.COM> Subject: format string bug in muh To: BUGTRAQ@SECURITYFOCUS.COM Hi, muh is an IRC bouncer, a program that will allow you to use any host you have a shell on as a relay between you and IRC. Moreover, muh stays connected when you are not, and can log any message you receive. The muh official homepage is : http://mind.riot.org/muh/. The latest version, 2.05d (and probably other versions...) is vulnerable to a format string bug which can be used to make muh crash and probably to gain the privileges of the user running muh. Since I've not seen this in the bugtraq archive, I post it. Looking at the source code which display the message log in muh.c : irc_notice( &c_client, status.nickname, CLNT_MSGLOGSTART ); s = ( char * )malloc( 1024 ); while( fgets( s, 1023, messagelog ) ) { if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s ) - 1 ] = 0; irc_notice( &c_client, status.nickname, s ); } FREESTRING( s ); irc_notice( &c_client, status.nickname, CLNT_MSGLOGEND ); The bad thing is "irc_notice( &c_client, status.nickname, s );" because if you look at the declaration of the irc_notice() function in irc.c, you can see that the third parameter is a format string and so, user data is supplied to the function as a format string. void irc_notice( connection_type *connection, char nickname[], char *format, ... ) You can so easily make muh crash by sending some "%s%s%s%d..." to someone using muh but not connected right now. When the user will reconnect to muh and execute /muh read, it will crash. As a temporary solution, you can disable logging. Patch: replace the line : irc_notice( &c_client, status.nickname, s ); by this one : irc_notice( &c_client, status.nickname, "%s", s ); Best regards, Maxime Henrion