UnrealIRCd Internet Relay Chat (IRC) Server Format String Bug Lets Remote Users Crash the Chat Service
|
Date: Feb 25 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 3.1.1, possibly others
|
Description: Qb0x reported a format string vulnerability in the UnrealIRCd chat server. A remote user can cause the server process to crash.
It is reported that a format string vulnerability exists in the Cio_PrintF() function in the /src/cio_main.c file. See the Source
Messsage for the affected code.
A remote user can reportedly supply a specially crafted input value to cause the server to crash.
|
Impact: A remote user can cause the chat service to crash.
|
Solution: No vendor solution was available at the time of this entry.
The author of the report suggests using the proper format of svprintf:
int vprintf(const char *format, va_list ap);
|
Vendor URL: unrealircd.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Feb 2002 13:27:07 -0300
From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar>
Subject: Unreal ircd Format String Vulnerability
|
This is a multi-part message in MIME format.
--------------AD1284CE5D5A9735BABEBF2B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--------------AD1284CE5D5A9735BABEBF2B
Content-Type: text/plain; charset=us-ascii;
name="Unreal_research.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Unreal_research.txt"
---------------------------------------------------------------------------
Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: Febrary 25, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------
General Info
------------
Problem Type : Format String Vulnerability
Product : Unreal irc server
Version : tested in 3.1.1
Vendor : www.unrealircd.org
Summary
-------
A security vulnerability has been found in the popular Unreal irc server.
Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
This function is in /src/cio_main.c file
Piece of code:
va_start(argptr, InBuf);
Len = vsprintf(Buffer, InBuf, argptr);
va_end(argptr);
The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
is produced, the program crashes when it tries to copy the value of eax
to the address of edx.
SOLUTION:
Don't forget to use the proper format of svprintf:
int vprintf(const char *format, va_list ap);
---------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.
---------------------------------------------------------------------------
--------------AD1284CE5D5A9735BABEBF2B--
|
|
