Bugtraq mailing list archives
ircd buffer overflow
From: achurch () DRAGONFIRE NET (Andy Church)
Date: Tue, 1 Jul 1997 02:20:47 EDT
There is a buffer overflow present in many IRC servers derived from the irc2.x distribution, which has been reported as being actively exploited on many networks. In short, insufficient bounds checking on the parameters to the SERVER message will overflow a buffer, and you can do more or less anything you could do with any other buffer overflow. (The current spate of attacks is aimed at just crashing servers; this can be accomplished with a single line of shell code.) This overflow is a bit more interesting than the usual, because it's not a case of _missing_ bounds checking; rather, it's _incorrect_ bounds checking, leading to a strncpy(s1, s2, -1) under certain circumstances. This bug is known to be present in all versions of ircd.dal through 4.4.10, as well as the base irc2.8.21 distribution. The bug is believed to NOT be present in ircu2.9.32, and is known to not be present in ircd.dal4.4.11. The patch below was made against ircd.dal4.4.5, but should apply more or less cleanly to other irc2.x derivations. --Andy Church | If Bell Atlantic really is the heart achurch () dragonfire net | of communication, then it desperately www.dragonfire.net/~achurch/ | needs a quadruple bypass. --------------------------------------------------------------------------- --- src/s_serv.c.old Sun Dec 8 21:06:55 1996 +++ src/s_serv.c Tue Jul 1 00:42:16 1997 @@ -282,15 +282,17 @@ { hop = atoi(parv[2]); (void)strncpy(info, parv[3], REALLEN); + info[REALLEN] = 0; } else if (parc > 2) { - (void)strncpy(info, parv[2], REALLEN); + (void)strncpy(info, parv[2], REALLEN-2); + info[REALLEN-2] = 0; if (parc > 3) { - i = strlen(info); - (void)strncat(info, " ", REALLEN - i - 1); - (void)strncat(info, parv[3], REALLEN - i - 2); + (void)strcat(info, " "); + (void)strncat(info, parv[3], REALLEN-strlen(info)); + info[REALLEN] = 0; } } /*
Current thread:
- ircd buffer overflow Andy Church (Jun 30)