EPIC4 Buffer Overflow in Processing CTCP Nicknames May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008131
|
|
CVE Reference: CAN-2003-0328
(Links to External Site)
|
Updated: Nov 27 2003
|
Original Entry Date: Nov 10 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): epic4pre2.002, epic4pre2.003 and later versions
|
Description: A vulnerability was reported in EPIC4 in the processing of large nicknames. A remote user acting as an IRC server can cause a connected client to crash and potentially execute arbitrary code.
It is reported that an incorrect length calculation in 'ctcp.c' can be triggered by a remote IRC server sending a CTCP request with
a large nickname (greater than approximately 512 bytes), causing EIPC4 to call the alloca() function with a negative value. As
a result, an invalid pointer will be returned and memory contents will be overwritten. A remote user can cause arbitrary code to
be executed with the privileges of the EPIC4 client user, according to the report.
|
Impact: A remote IRC server can execute arbitrary code on a connected EPIC4 client system with the privileges of the target EPIC4 client user.
|
Solution: A fix is available (since May 2003) via CVS:
http://cvs.prbh.org/cgi/viewcvs.cgi/epic4/
A patch is also available at:
ftp://ftp.prbh.org/pub/epic/patches/alloca_underrun-patch-1
|
Vendor URL: www.epicsol.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 10 Nov 2003 09:59:33 -0500
Subject: ftp://ftp.prbh.org/pub/epic/patches/alloca_underrun-patch-1
|
ftp://ftp.prbh.org/pub/epic/patches/alloca_underrun-patch-1
Advisory -- Possible remote exploit from rogue server, exploit exists.
Summary -- ircII clients generally trust the server not to send it garbage.
Validity checking on data coming from the server tends to be weak.
If a rogue server sends us a ctcp request from an extremely large
nickname (over about 512 bytes), epic may attempt to alloca() a
negative value, which under gcc will return a invalid pointer, the
contents of which will then be overwritten.
Extent -- All versions of epic4, before epic4pre2.002 are not vulnerable
to this attack. All versions of epic4, since and including
epic4pre2.003 are vulnerable and this patch should be applied.
Future versions of epic will include this patch.
Cause-for-alarm -- If you connect to a rogue server which has been carefully
crafted to send a CTCP request from an extremely large nickname,
EPIC may attempt to overwrite the stack, yeilding a remote exploit
for whatever user id you are running epic as.
Disclaimer -- All non-trivial software has bugs, of varying degrees. EPIC
is no exception. All remote exploits are serious, but this is more
serious because there is an exploit for this bug floating around.
You should never connect to a server you do not trust.
Remedy -- Apply the following patch.
*** source/ctcp.c.orig Fri May 9 17:42:20 2003
--- source/ctcp.c Fri May 9 17:42:37 2003
***************
*** 897,903 ****
int len;
/* Make sure that the final \001 doesnt get truncated */
! len = IRCD_BUFFER_SIZE - (12 + strlen(to));
putbuf2 = alloca(len);
if (format)
--- 897,904 ----
int len;
/* Make sure that the final \001 doesnt get truncated */
! if ((len = IRCD_BUFFER_SIZE - (12 + strlen(to))) < 0)
! return;
putbuf2 = alloca(len);
if (format)
|
|
