« awesome quote
A whole new world of amazon fun »

fishy FiSH

FiSH is a plugin for most popular irc clients that implements encryption. I looked at it a few years ago, and it was horrible. Stacksmashes _everywhere_. I briefly looked at it again yesterday, only to discover that all the bugs are still there ! somewhat shocking. I wonder how many people have been owned because of those bugs.
I looked at the xchat plugin code (but I believe most of the code is shared and only the entry point code is (obviously) different) and it basicly registers 4 functions that handle incomming data:

xchat_hook_server(ph, “PRIVMSG”, XCHAT_PRI_NORM, decrypt_incoming, 0);
xchat_hook_server(ph, “NOTICE”, XCHAT_PRI_NORM, notice_received, 0);
xchat_hook_server(ph, “TOPIC”, XCHAT_PRI_NORM, decrypt_incoming, 0);
xchat_hook_server(ph, “NICK”, XCHAT_PRI_NORM, nick_changed, 0);
xchat_hook_server(ph, “332″, XCHAT_PRI_NORM, decrypt_topic_332, 0);

so let’s look at all of those.

int decrypt_incoming(char *word[], char *word_eol[], void *userdata)
{
unsigned char *msg_ptr, contactName[100]=”", from_nick[50], msg_event[100]=”",

psyNetwork[12];

if(word[1][0] == ‘:’) ExtractRnick(from_nick, word[1]);

}

here’s what ExtractRnick() does:

int ExtractRnick(char *Rnick, char *incoming_msg)
{
int k=0;

if(*incoming_msg == ‘:’) incoming_msg++;

while(*incoming_msg!=’!’ && *incoming_msg!=0) {
Rnick[k]=*incoming_msg;
incoming_msg++;
k++;
}
Rnick[k]=0;

if (*Rnick < ‘0′) return FALSE;
else return TRUE;
}

you can clearly see the stacksmash here (word[1] comes from the network !). the other 3 functions are just as horrible:

int notice_received(char *word[], char *word_eol[], void *userdata)
{
unsigned int i;
unsigned char hisPubKey[300], contactName[25]=”", from_nick[25]=”";

if(ExtractRnick(from_nick, word[1])==0) return XCHAT_EAT_NONE;

}

int nick_changed(char *word[], char *word_eol[], void *userdata)
{
unsigned char contactName[100]=”", theKey[500]=”", ini_nicktracker[10];

if( *ini_nicktracker==’0′ || *ini_nicktracker==’N’ || *ini_nicktracker==’n’ ||
(ExtractRnick(contactName, word[1])==0) ||
(stricmp(contactName, word[3]+1)==0))
return XCHAT_EAT_NONE;

}

int decrypt_topic_332(char *word[], char *word_eol[], void *userdata)
{
unsigned char contactName[100]=”";

strcpy(contactName, word[4]);

}

yes, that last one is an actual strcpy() stacksmash. The 90’s called, they want their bugs back :-p

Tags:

This entry was posted on Thursday, March 8th, 2007 at 5:30 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “fishy FiSH”

  1. sacrine Says:
    October 16th, 2008 at 7:43

    RE:

    RE:
    Echte mannen gebruiken FiSH ?

    I don’t think so :)

    This comment was originally posted on 20070308T09:16:31

  2. prdelka Says:
    October 16th, 2008 at 7:43

    Month of retro bugs! :-D

    This comment was originally posted on 20070315T14:00:47

  3. slashy Says:
    October 16th, 2008 at 7:43

    well done research.. a bit further and you would have noticed that you can’t attack this without full control of the ircserver (or you have to find irc-servers which have a nicklen setting > 100). Also it should be mentioned that this flaws only applies to xchat version .. the flawed part of the code ain’t reused in mIRC version past 1.25

    read here for more: http://fish.sekure.us/forum/viewtopic.php?p=1166#1166

    This comment was originally posted on 20070317T11:08:30

  4. ilja Says:
    October 16th, 2008 at 7:43

    the fact that it has to be serverside in most cases is pretty obvious, and imo needn’t even be mentioned. also it looks like you might be able to trigger the notice stacksmash clientside.
    I didn’t know the xchat code was that different from the mirc code, I never looked, I just assumed, hence the “I believe …” I wasn’t stating facts.

    This comment was originally posted on 20070320T04:16:12

  5. calcite Says:
    October 16th, 2008 at 7:43

    Wow

    Wow
    I’m suprised to see strcpy() fuckup like that in such a widely used application.

    This comment was originally posted on 20070325T03:34:24

  6. oxff Says:
    October 16th, 2008 at 7:43

    He prevents Buffer Overflows!

    He prevents Buffer Overflows!
    FiSH-irssi-v0.99-source.zip:FiSH.c:79

    // usually a received message does not exceed 512 chars, but we want to prevent evil buffer overflow
    if(msg_len >= (int)(sizeof(bf_dest)*1.5)) msg_ptr[(int)(sizeof(bf_dest)*1.5)-20]=”;

    Isn’t that cute?

    This comment was originally posted on 20070328T00:59:18

  7. ilja Says:
    October 16th, 2008 at 7:43

    I didnt have to see that, I just barfed up my dinner.

    This comment was originally posted on 20070328T03:37:39

  8. tomten Says:
    October 16th, 2008 at 7:43

    Problems with libfish and sparc

    Problems with libfish and sparc
    Hi, I’m having trubbel with libfish. Don’t like it muth, it has problems with operating on difrent archs. I run sparc64, and when i try to decode a msg from a intel machine all i get is junk! Think its a problem with the bytorder….

    Great work on the blogg, hope to read more soon.

    This comment was originally posted on 20080723T09:43:29

Leave a Reply