ctcp parse issues

karlthepagan karlthepagan at gmail.com
Sun Jan 24 16:39:35 EST 2010 

I'll start up wireshark the next time I notice it. It is an exploit in the
wild.

On Sun, Jan 24, 2010 at 8:09 AM, Ethan Blanton <elb at pidgin.im> wrote:

> karlthepagan spake unto us the following wisdom:
> > this is the message of significance:
> > goqzxsrmglis: Received CTCP 'VERSION Reds and Blues: Bad news. Join the
> > Peoples Primary Party TODAY!
> > http://peoplesprimary.com'<http://peoplesprimary.com%27/>(to
> > #noisebridge) from goqzxsrmglis
> >
> > I get this message and my pidgin attempts to join the channel
> "goqzxrmglis"
> >
> > this is a SPAM CTCP and the text following "VERSION" should be stripped
> and
> > not processed by the client
> >
> > my client should not attempt to join the username as channel simply
> because
> > the message contains the text "join"
>
> You are correct, and it is not parsed.  Only the first eight bytes of
> a VERSION message (\001VERSION) are parsed.  There must either be a
> bug in libpurple IRC processing (I just looked at the likely
> candidates, and I don't see anything, but it could be subtle), or
> there must have been another message which triggered the join.  A bug
> in parsing which triggers a channel join could very well be a
> dangerous bug.
>
> Either way, a packet trace of this happening would be infinitely
> useful; I assume you don't have one?  Has this been repeated, or was
> it a one-time error?
>
> > repeated CTCP requests from the same user could have some kind of
> filtering
> > applied to them
>
> We have had requests for this, and it seems reasonable, we just
> haven't gotten to implementing it.
>
> Ethan
>
> --
> The laws that forbid the carrying of arms are laws [that have no remedy
> for evils].  They disarm only those who are neither inclined nor
> determined to commit crimes.
>                -- Cesare Beccaria, "On Crimes and Punishments", 1764
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iQEVAwUBS1xwvv8fixZ3H8crAQjd1wgAvdCSEqtAVbZ/fO1SjlXRyjwmfU5LVdxr
> RzLN6GHcIrqwCdZ/Vad07wPT1C7FRSlUbvFXvgCySSIkWLyr5UEU4jis+laNZyg8
> 0bKbeHPNJzbXDAmmqzgZ8tAqjDMDGW66eWT4zkUiQzzFNJWdciqPJrkaSSI7cbvE
> LiqKNs9SZb3eSRHGkbYZgToouauq/s4gTug2O8sr+ObsJNwG9lk4113jMTkMBuxB
> nMsy/o8ai4K0BI9oZH0fS4TrStgOgKo8KBGKzpEawOYwzTLfX99DKLFVDgPyVS0S
> Va9+Qf30orw+Da7b3PEFVyNILgx5Fs3r1e2CEv4Or+btoTeduTrR1Q==
> =I2r8
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100124/017cb89d/attachment.htm>

More information about the security mailing list