ctcp parse issues
karlthepagan
karlthepagan at gmail.com
Sun Jan 24 17:03:34 EST 2010
Good point zach, it may be that the user changed names or was disconnected.
Seems pretty obvious now.
On Sun, Jan 24, 2010 at 1:58 PM, Zachary West <zacwest at gmail.com> wrote:
> Are you seeing the "no such nick/channel [exploited-name]" and thinking
> it's trying to join? That CTCP spam is coming in from clients that
> disconnect before the CTCP reply can be sent, so it errors out.
>
> Zachary West
>
> On Sun, Jan 24, 2010 at 16:39, karlthepagan <karlthepagan at gmail.com>wrote:
>
>> I'll start up wireshark the next time I notice it. It is an exploit in the
>> wild.
>>
>> On Sun, Jan 24, 2010 at 8:09 AM, Ethan Blanton <elb at pidgin.im> wrote:
>>
>>> karlthepagan spake unto us the following wisdom:
>>> > this is the message of significance:
>>> > goqzxsrmglis: Received CTCP 'VERSION Reds and Blues: Bad news. Join the
>>> > Peoples Primary Party TODAY!
>>> > http://peoplesprimary.com'<http://peoplesprimary.com%27/>(to
>>> > #noisebridge) from goqzxsrmglis
>>> >
>>> > I get this message and my pidgin attempts to join the channel
>>> "goqzxrmglis"
>>> >
>>> > this is a SPAM CTCP and the text following "VERSION" should be stripped
>>> and
>>> > not processed by the client
>>> >
>>> > my client should not attempt to join the username as channel simply
>>> because
>>> > the message contains the text "join"
>>>
>>> You are correct, and it is not parsed. Only the first eight bytes of
>>> a VERSION message (\001VERSION) are parsed. There must either be a
>>> bug in libpurple IRC processing (I just looked at the likely
>>> candidates, and I don't see anything, but it could be subtle), or
>>> there must have been another message which triggered the join. A bug
>>> in parsing which triggers a channel join could very well be a
>>> dangerous bug.
>>>
>>> Either way, a packet trace of this happening would be infinitely
>>> useful; I assume you don't have one? Has this been repeated, or was
>>> it a one-time error?
>>>
>>> > repeated CTCP requests from the same user could have some kind of
>>> filtering
>>> > applied to them
>>>
>>> We have had requests for this, and it seems reasonable, we just
>>> haven't gotten to implementing it.
>>>
>>> Ethan
>>>
>>> --
>>> The laws that forbid the carrying of arms are laws [that have no remedy
>>> for evils]. They disarm only those who are neither inclined nor
>>> determined to commit crimes.
>>> -- Cesare Beccaria, "On Crimes and Punishments", 1764
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.6 (GNU/Linux)
>>>
>>> iQEVAwUBS1xwvv8fixZ3H8crAQjd1wgAvdCSEqtAVbZ/fO1SjlXRyjwmfU5LVdxr
>>> RzLN6GHcIrqwCdZ/Vad07wPT1C7FRSlUbvFXvgCySSIkWLyr5UEU4jis+laNZyg8
>>> 0bKbeHPNJzbXDAmmqzgZ8tAqjDMDGW66eWT4zkUiQzzFNJWdciqPJrkaSSI7cbvE
>>> LiqKNs9SZb3eSRHGkbYZgToouauq/s4gTug2O8sr+ObsJNwG9lk4113jMTkMBuxB
>>> nMsy/o8ai4K0BI9oZH0fS4TrStgOgKo8KBGKzpEawOYwzTLfX99DKLFVDgPyVS0S
>>> Va9+Qf30orw+Da7b3PEFVyNILgx5Fs3r1e2CEv4Or+btoTeduTrR1Q==
>>> =I2r8
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/security
>>
>
>
>
> --
> Zachary West
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100124/697a9e66/attachment.htm>
More information about the security
mailing list