Vulnerabilities > CVE-2007-2951 - Remote Command Execution vulnerability in Kvirc IRC Client 3.2.0
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The parseIrcUrl function in src/kvirc/kernel/kvi_ircurl.cpp in KVIrc 3.2.0 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in an (1) irc:// or (2) irc6:// URI.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_KVIRC-3953.NASL description A bug in the IRC-URI parser allowed attackers to execute arbitrary commands by tricking a user into opening a specially crafted URI in kvirc (CVE-2007-2951). last seen 2020-06-01 modified 2020-06-02 plugin id 27315 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27315 title openSUSE 10 Security Update : kvirc (kvirc-3953) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update kvirc-3953. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(27315); script_version ("1.12"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-2951"); script_name(english:"openSUSE 10 Security Update : kvirc (kvirc-3953)"); script_summary(english:"Check for the kvirc-3953 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "A bug in the IRC-URI parser allowed attackers to execute arbitrary commands by tricking a user into opening a specially crafted URI in kvirc (CVE-2007-2951)." ); script_set_attribute(attribute:"solution", value:"Update the affected kvirc package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kvirc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.1|SUSE10\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1 / 10.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.1", reference:"kvirc-3.2.0-21.3") ) flag++; if ( rpm_check(release:"SUSE10.2", reference:"kvirc-3.2.5-26") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kvirc"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200709-02.NASL description The remote host is affected by the vulnerability described in GLSA-200709-02 (KVIrc: Remote arbitrary code execution) Stefan Cornelius from Secunia Research discovered that the last seen 2020-06-01 modified 2020-06-02 plugin id 26042 published 2007-09-14 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26042 title GLSA-200709-02 : KVIrc: Remote arbitrary code execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200709-02. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(26042); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-2951"); script_xref(name:"GLSA", value:"200709-02"); script_name(english:"GLSA-200709-02 : KVIrc: Remote arbitrary code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200709-02 (KVIrc: Remote arbitrary code execution) Stefan Cornelius from Secunia Research discovered that the 'parseIrcUrl()' function in file src/kvirc/kernel/kvi_ircurl.cpp does not properly sanitise parts of the URI when building the command for KVIrc's internal script system. Impact : A remote attacker could entice a user to open a specially crafted irc:// URI, possibly leading to the remote execution of arbitrary code with the privileges of the user running KVIrc. Successful exploitation requires that KVIrc is registered as the default handler for irc:// or similar URIs. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200709-02" ); script_set_attribute( attribute:"solution", value: "All KVIrc users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-irc/kvirc-3.2.6_pre20070714'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:kvirc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-irc/kvirc", unaffected:make_list("ge 3.2.6_pre20070714"), vulnerable:make_list("lt 3.2.6_pre20070714"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "KVIrc"); }
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 24652 CVE(CAN) ID: CVE-2007-2951 KVIrc是一款免费的可移植IRC客户端。 KVIrc客户端在处理“irc://”协议串时存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行命令。 KVIrc客户端的src/kvirc/kernel/kvi_ircurl.cpp文件中的parseIrcUrl()函数在为KVIrc的内部脚本系统构建命令时没有正确过滤部分URI,如果用户受骗打开了特制的irc://或类似的URI(如irc6://)的话,就会导致注入并执行KVIrc脚本系统命令。成功攻击要求KVIrc是irc://或类似URI的默认处理器。 KVIrc KVIrc 3.2.5 KVIrc KVIrc 3.2 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="https://svn.kvirc.de/kvirc/changeset/630/#file3" target="_blank">https://svn.kvirc.de/kvirc/changeset/630/#file3</a> |
| id | SSV:1942 |
| last seen | 2017-11-19 |
| modified | 2007-06-29 |
| published | 2007-06-29 |
| reporter | Root |
| title | KVIrc irc:// URI处理器远程命令注入漏洞 |
References
- http://osvdb.org/37604
- http://secunia.com/advisories/25740
- http://secunia.com/advisories/26813
- http://secunia.com/secunia_research/2007-56/advisory/
- http://security.gentoo.org/glsa/glsa-200709-02.xml
- http://www.novell.com/linux/security/advisories/2007_15_sr.html
- http://www.securityfocus.com/archive/1/472441/100/0/threaded
- http://www.securityfocus.com/bid/24652
- http://www.vupen.com/english/advisories/2007/2334
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35087
- https://svn.kvirc.de/kvirc/changeset/630/#file3