ctcp parse issues

Zachary West zacwest at gmail.com
Sun Jan 24 16:58:28 EST 2010 

Are you seeing the "no such nick/channel [exploited-name]" and thinking it's
trying to join? That CTCP spam is coming in from clients that disconnect
before the CTCP reply can be sent, so it errors out.

Zachary West

On Sun, Jan 24, 2010 at 16:39, karlthepagan <karlthepagan at gmail.com> wrote:

> I'll start up wireshark the next time I notice it. It is an exploit in the
> wild.
>
> On Sun, Jan 24, 2010 at 8:09 AM, Ethan Blanton <elb at pidgin.im> wrote:
>
>> karlthepagan spake unto us the following wisdom:
>> > this is the message of significance:
>> > goqzxsrmglis: Received CTCP 'VERSION Reds and Blues: Bad news. Join the
>> > Peoples Primary Party TODAY!
>> > http://peoplesprimary.com'<http://peoplesprimary.com%27/>(to
>> > #noisebridge) from goqzxsrmglis
>> >
>> > I get this message and my pidgin attempts to join the channel
>> "goqzxrmglis"
>> >
>> > this is a SPAM CTCP and the text following "VERSION" should be stripped
>> and
>> > not processed by the client
>> >
>> > my client should not attempt to join the username as channel simply
>> because
>> > the message contains the text "join"
>>
>> You are correct, and it is not parsed.  Only the first eight bytes of
>> a VERSION message (\001VERSION) are parsed.  There must either be a
>> bug in libpurple IRC processing (I just looked at the likely
>> candidates, and I don't see anything, but it could be subtle), or
>> there must have been another message which triggered the join.  A bug
>> in parsing which triggers a channel join could very well be a
>> dangerous bug.
>>
>> Either way, a packet trace of this happening would be infinitely
>> useful; I assume you don't have one?  Has this been repeated, or was
>> it a one-time error?
>>
>> > repeated CTCP requests from the same user could have some kind of
>> filtering
>> > applied to them
>>
>> We have had requests for this, and it seems reasonable, we just
>> haven't gotten to implementing it.
>>
>> Ethan
>>
>> --
>> The laws that forbid the carrying of arms are laws [that have no remedy
>> for evils].  They disarm only those who are neither inclined nor
>> determined to commit crimes.
>>                -- Cesare Beccaria, "On Crimes and Punishments", 1764
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>>
>> iQEVAwUBS1xwvv8fixZ3H8crAQjd1wgAvdCSEqtAVbZ/fO1SjlXRyjwmfU5LVdxr
>> RzLN6GHcIrqwCdZ/Vad07wPT1C7FRSlUbvFXvgCySSIkWLyr5UEU4jis+laNZyg8
>> 0bKbeHPNJzbXDAmmqzgZ8tAqjDMDGW66eWT4zkUiQzzFNJWdciqPJrkaSSI7cbvE
>> LiqKNs9SZb3eSRHGkbYZgToouauq/s4gTug2O8sr+ObsJNwG9lk4113jMTkMBuxB
>> nMsy/o8ai4K0BI9oZH0fS4TrStgOgKo8KBGKzpEawOYwzTLfX99DKLFVDgPyVS0S
>> Va9+Qf30orw+Da7b3PEFVyNILgx5Fs3r1e2CEv4Or+btoTeduTrR1Q==
>> =I2r8
>> -----END PGP SIGNATURE-----
>>
>>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
>



-- 
Zachary West
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100124/5d625eeb/attachment.htm>

More information about the security mailing list