Bugtraq mailing list archives

Re: ircd exploit in ircu based code

From: klmitch () MIT EDU (Kev)
Date: Thu, 15 Jul 1999 13:39:46 EDT

Most irc networks using ircu based servers have a bug that can cause users
to segfault the server.

In m_join, the code doesn't check to see if get_channel returned failure (by
returning NULL).


Which version of ircu?  In 2.10.06, the only pattern that matches your
patch is wrapped within "if (*mbuf)"; by this time in m_join, the channel
is known to exist, and we're just sending modes off to the P09 servers.
(And we're calling sendto_lowprot_butone() instead.)

While the line numbers will probably be off, this patch will work in most
ircu based servers.

--- ircd/channel.c    Tue Jul 13 19:58:46 1999
+++ ircd/channel.c    Tue Jul 13 20:05:31 1999
@@ -2004,6 +2004,12 @@

        chptr = get_channel (sptr, name, !CREATE);    /* need the TS -Kev */

+       if (!chptr) {
+             sendto_one (sptr, err_str (ERR_NOSUCHCHANNEL),
+                         me.name, parv[0], name);
+             return(0);
+       }
+     
        sendto_serv_butone (cptr, ":%s MODE %s +%s%s %lu", me.name, name,
                            sendmode ? "o " : "", sendmode ? parv[0] : "",
                            chptr->creationtime);     /* send the MODE to the


Judging from context (it's been a long time since I wrote this code), this
is the same place as I indicate above, and we already know for a fact that
the channel exists.  Perhaps an assertion should go in there...

Also note that your return is misplaced; this is inside a loop, and you
are terminating the loop prematurely.  You can easily end up with a desync,
when what should happen is the server should die, because it's lost a
channel while trying to add someone to it!

--
Kevin L. Mitchell <klmitch () mit edu>
-------------------------  -. .---- --.. ..- -..-  --------------------------
http://web.mit.edu/klmitch/www/               (PGP keys availiable from here)
    RSA AE87D37D/1024:  DE EA 1E 99 3F 2B F9 23  A0 D8 05 E0 6F BA B9 D2
    DSS ED0DB34E/1024: D9BF 0E74 FDCB 43F5 C597  878F 9455 EC24 ED0D B34E
    DH  2A2C31D4/2048: 1A77 4BA5 9E32 14AE 87DA  9FEC 7106 FC62 2A2C 31D4

Current thread:

aix 4.2 4.3.1, adb GZ Apple (Jul 12)
- Re: aix 4.2 4.3.1, adb Mike Austin (Jul 13)
- Root Perms Gained with Patrol SNMP Agent 3.2 (all others?) Andrew Alness (Jul 13)
- Announcing First Annual ToorCon Ben (Jul 13)
- ircd exploit in ircu based code Kevin Day (Jul 13)
  - Re: ircd exploit in ircu based code Kev (Jul 15)
- About IGMP and another exploit for Windows95x/98x Hector Leon (Jul 13)
  - credit (was Re: About IGMP and another exploit for Windows95x/98x) Max Vision (Jul 14)
- Re: aix 4.2 4.3.1, adb Troy A. Bollinger (Jul 13)
- DoS attack on AT&T Wireless text-messaging service Peter Gamache (Jul 14)
- BO2K Aleph One (Jul 15)
- <Possible follow-ups>
- Re: aix 4.2 4.3.1, adb Peter.Fredriksson () Skriptor com (Jul 13)
- Re: aix 4.2 4.3.1, adb Troy A. Bollinger (Jul 15)