Dalnet IRC Server "SUMMON" Buffer Overflow Vulnerability
BID:1404
Info
Dalnet IRC Server "SUMMON" Buffer Overflow Vulnerability
| Bugtraq ID: | 1404 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 29 2000 12:00AM |
| Updated: | Jun 29 2000 12:00AM |
| Credit: | First reported in a post to VULN-DEV by Shok <[email protected]> on June 29, 2000. |
| Vulnerable: |
DALnet Bahamut IRCd 4.6.5 |
| Not Vulnerable: | |
Discussion
Dalnet IRC Server "SUMMON" Buffer Overflow Vulnerability
Dalnet ircd is a server for a popular internet chat application, IRC (Internet Relay Chat). The implementation for one of its features, the "summon" command, has a hole which could grant an attacker remote access on the host running the server (with the privs of the server). The vulnerability is a buffer overflow (due to use of an sprintf with user input) and rather difficult to exploit. The reason for this is that the shellcode must be divided into a number of variables, one of them being the hostname (which is obtained via reverse lookup, so dns poisoning would be involved) and then reconstructed in memory and executed on the stack. Also, the "summons" command is not enabled in the ircd server by default -- it has to be defined at compile time. Nonetheless, in theory this can be exploited so patches should be applied.
Dalnet ircd is a server for a popular internet chat application, IRC (Internet Relay Chat). The implementation for one of its features, the "summon" command, has a hole which could grant an attacker remote access on the host running the server (with the privs of the server). The vulnerability is a buffer overflow (due to use of an sprintf with user input) and rather difficult to exploit. The reason for this is that the shellcode must be divided into a number of variables, one of them being the hostname (which is obtained via reverse lookup, so dns poisoning would be involved) and then reconstructed in memory and executed on the stack. Also, the "summons" command is not enabled in the ircd server by default -- it has to be defined at compile time. Nonetheless, in theory this can be exploited so patches should be applied.
Exploit / POC
Dalnet IRC Server "SUMMON" Buffer Overflow Vulnerability
Matt Conover wrote a partial exploit (no shellcode):
Matt Conover wrote a partial exploit (no shellcode):
Solution / Fix
Dalnet IRC Server "SUMMON" Buffer Overflow Vulnerability
Solution:
Matt Conover <[email protected]> provided this patch:
Apply the patch to following to s_bsd.c:
--- s_bsd.old.c Mon Nov 1 17:34:19 1999
+++ s_bsd.c Mon Nov 1 17:35:39 1999
@@ -2327,7 +2327,7 @@
sendto_one(who, wrerr, who->name);
return;
}
- (void)sprintf(line, "ircd: Channel %s, by %s@%s (%s) %s\n\r",
+ (void)snprintf(line, sizeof(line), "ircd: Channel %s, by %s@%s (%s) %s\n\r",
chname, who->user->username, who->user->host, who->name, who->info);
if (write(fd, line, strlen(line)) != strlen(line))
{
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Matt Conover <[email protected]> provided this patch:
Apply the patch to following to s_bsd.c:
--- s_bsd.old.c Mon Nov 1 17:34:19 1999
+++ s_bsd.c Mon Nov 1 17:35:39 1999
@@ -2327,7 +2327,7 @@
sendto_one(who, wrerr, who->name);
return;
}
- (void)sprintf(line, "ircd: Channel %s, by %s@%s (%s) %s\n\r",
+ (void)snprintf(line, sizeof(line), "ircd: Channel %s, by %s@%s (%s) %s\n\r",
chname, who->user->username, who->user->host, who->name, who->info);
if (write(fd, line, strlen(line)) != strlen(line))
{
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Dalnet IRC Server "SUMMON" Buffer Overflow Vulnerability
References:
References:
- dalnet 4.6.5 remote vulnerability (vuln-dev post) (Matt Conover
- DalNet Homepage (DalNet)