Vulnerabilities in SlackChat :)

[iago]

*pokes tmp*

Set your home directory to a very long string

iago@slayer:~$ sudo usermod -d `perl -e "print 'A'x10000"` iago
iago@slayer:~$ slackchat
Segmentation fault
iago@slayer:~$ gdb slackchat
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run
Starting program: /usr/local/bin/slackchat

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

I know, you need root, and that's boring. 

How about a...... format string vuln?

Type "%08X-%08X-%08X-%08X-%08X-%08X-%08X-  ****%s**** -%08X-%08X-%08X" into the chat window, then press left.  :-o!

The parameter with the *'s around it is the one that points to the format string in memory.  If you wanted to take control of the program, you can take advantage of that parameter.  Just tell them "Hey, paste this into your window", with the exploit code.  Woo!

This is nothing serious, 100% local and useless attack.  But hopefully Tmp will see this.  :-)

[iago]

Another thing which isn't a vulnerability: backspace doens't work for me.  For some reason, backspace sends the character 0x7F. 

Also, I can't seem to read the hashfiles unless I have write access to them. 

Finally, is there some way to put the hashfiles in a different folder?  I'd like to try this on my school's computer, but I don't have root, so I can't make folders in /usr/local. 

Good job, though, I couldn't figure out how to do input properly so I used your code for inspiration, and now it's working perfectly for me

[Quik]

Good job, this is really interesting stuff.

Btw, backspace stuff is documented. RTFM

[iago]

Good job, this is really interesting stuff.

Btw, backspace stuff is documented. RTFM

Why RTFM when there's a simple fix?  I'm doing ncurses stuff for a school project, and I had to figure it out myself because I couldn't rip it from Tmp

Btw, somebody who sees him on IRC, point him to this thread.

<edit> I RTFM'd, and it explains how to fix that in PuTTy.  For some reason, that doesn't help me. 

[Quik]

Good job, this is really interesting stuff.

Btw, backspace stuff is documented. RTFM

Why RTFM when there's a simple fix? I'm doing ncurses stuff for a school project, and I had to figure it out myself because I couldn't rip it from Tmp

Btw, somebody who sees him on IRC, point him to this thread.

<edit> I RTFM'd, and it explains how to fix that in PuTTy. For some reason, that doesn't help me.

You had the same problem I did before RTFM, so I assumed it would have a similar solution (Linux keys or whatever it is.)

[iago]

Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

[Newby]

Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency.

[iago]

Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency.

What's so not straight up about it?

And eww @ transparency.  I only use it because I like the font. 

[Newby]

Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency.

What's so not straight up about it?

And eww @ transparency.  I only use it because I like the font. 

The only straight up terminal is xterm. The rest are modified.

If you like the font, why not use rxvt?

[iago]

Nope, my terminal is a straight up terminal.  No key mappings. 

If it works for him on his terminal, however, that's kinda weird...

You use aterm. You lying bitch, that ain't no straight up terminal, Mr. Transparency.

What's so not straight up about it?

And eww @ transparency.  I only use it because I like the font. 

The only straight up terminal is xterm. The rest are modified.

If you like the font, why not use rxvt?

Why is xterm the straight up one?  Who decided that?  What's wrong with using the tty terminal before you ever get to X, that seems more straight up to me? 

I consider anything without a considerable difference to be normal.  I don't know of any terminals for Linux that are weird, but I'm thinking Windows clients, and possibly KDE or Gnome's built in client. 

And I use aterm because I've always used aterm.  It works perfectly, so why change?  Plus, my shortcut key to run it is alt-a, so if I change to rxvt that won't make any sense!

[Newby]

Why is xterm the straight up one?  Who decided that?  What's wrong with using the tty terminal before you ever get to X, that seems more straight up to me? 

I didn't know what to call the tty terminals, so I decided to use xterm instead.

[Blaze]

I like Konsole, its nice, clean, and full of features.

[iago]

I like Konsole, its nice, clean, and full of features.

It's not clean at all!

Having no features = clean. 

:-)

[Blaze]

I like Konsole, its nice, clean, and full of features.

It's not clean at all!

Having no features = clean. 

:-)

No... clean = Not a milion trillion buttons everywhere.

[mynameistmp]

Set your home directory to a very long string

Fixed.

How about a...... format string vuln?

Type "%08X-%08X-%08X-%08X-%08X-%08X-%08X-  ****%s**** -%08X-%08X-%08X" into the chat window, then press left.  :-o!

Fixed.

Also, I can't seem to read the hashfiles unless I have write access to them. 

Should work fine now.

Finally, is there some way to put the hashfiles in a different folder?  I'd like to try this on my school's computer, but I don't have root, so I can't make folders in /usr/local.

The hashfiles can be stored in ~/slackchat/slackchat_bin/ and it should run fine.

Update available: www.javaop.com/~tmp

Thanks for the bug testing.