Author:   David D. Rude II david@thegain.com
Release Date:   June 20th 2002
Systems Affected:   All versions of Windows Capable of running this
software.
Severity:   Medium
Credits:   Cryptix from irc.pulltheplug.com


Introduction:
This bug was discovered a very long time ago by cryptix. When I was made
aware of the problem which existed in pirch 98 I tried to contact the
pirch developers to no avail. So I decided to keep this bug unreleased for
quite some time. The reason I am releasing this advisory now is because a
new version of pirch has been released and can be downloaded at pirch.com
and it is no longer vulnerable to this kind of attack. I might have made a
bad decision in keeping this advisory to myself however it was my choice
at the time.

Pirch is a irc client which many windows users use as a replacement for
MIRC and other windows irc clients. It runs on many platforms of windows.

Details:
A buffer overflow exists in pirch 98 which could potentially allow remote
execution of arbitrary code. The overflow exists in the way that pirch 98
handles links. When I say links I mean hyperlinks to other channels and
websites and possibly other forms of hyperlinks. The problem occurs when a
long buffer is sent in either a channel or a private message. As far as I
can tell the problem does not exist within the DCC Chat feature.

To properly overflow the pirch98 irc client the buffer must be formated
correctly and there must be a specific amount of links in the buffer.

Proof of Concept:
If you run the a irc client (anyone you wish) and also run the pirch98
client you can test this out for your self.

Here is an example of the properly formated buffer:
#t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t #i #n #g #t #e #s #t
#i #n #g #t #e #s #t #i #n #g ........<lots of channel links>

As you will discover to get the correct amount of hyper links to overflow
the client you need to make the links as short as possible.

Exploitation:
Exploiting this vulnerability is theoretically possible. However it would
be very difficult to do. In what area are you going to place the
shellcode? That maybe the toughest question to answer in this situation.
Under the right conditions it is certainly plausable to think that
exploitation can occur.

The Fix:
The most obvious solution here is to upgrade to the latest version of
pirch. It can be downloaded at www.pirch.com.