oss-sec mailing list archives
Re: CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Null Pointer DDOS
From: nongiach nongiach <nongiach () gmail com>
Date: Tue, 1 May 2018 10:45:18 +0200
Hey, here are the two CVE numbers assigned: Vuln1: CVE-2018-1000178, CWE-120: heap corruption {"data_version": "4.0","references": {"reference_data": [{"url": " https://i.imgur.com/JJ4QcNq.png"},{"url": "https://github.com/quassel/ quassel/blob/master/src/common/protocols/datastream/datastreampeer.cpp#L62 "}]},"description": {"description_data": [{"lang": "eng","value": "A heap corruption of type CWE-120 exists in quassel version 0.12.4 in quasselcore in void DataStreamPeer::processMessage(const QByteArray &msg), datastreampeer.cpp line 62 that allows an attacker to execute code remotely."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.12.4>version"}]},"product_name": "quasselcore, quasselclient"}]},"vendor_name": "quassel"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-04-30T19:35:42.127351","DATE_REQUESTED": "2018-04-23T00:00:00","ID": "CVE-2018-1000178","ASSIGNER": " kurt () seifried org","REQUESTER": "nongiach () gmail com"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-120: heap corruption"}]}]}} Vuln2: CVE-2018-1000179, CWE-476: NULL Pointer Dereference {"data_version": "4.0","references": {"reference_data": [{"url": " https://github.com/quassel/quassel/blob/master/src/core/ coreauthhandler.cpp#L236"}]},"description": {"description_data": [{"lang": "eng","value": "A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4 in the quasselcore void CoreAuthHandler::handle(const Login &msg), coreauthhandler.cpp line 235 that allows an atacker to denial of service."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "0.12.4>version"}]},"product_name": "quasselcore"}]},"vendor_name": "quassel"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2018-04-30T19:35:42.127797","DATE_REQUESTED": "2018-04-23T00:00:00","ID": "CVE-2018-1000179","ASSIGNER": " kurt () seifried org","REQUESTER": "nongiach () gmail com"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "CWE-476: NULL Pointer Dereference"}]}]}} Thx. 2018-04-27 0:39 GMT+02:00 nongiach nongiach <nongiach () gmail com>:
Hey, two vulnerabilities have been fixed in quassel, an IRC connection multiplexer, one with a high severity and another with a low severity, they are both publicly fixed: - these patches apply cleanly to 0.12.4 sources - 0.12.5 release (Tuesday 24.04) includes these patches, distros have been notified for the embargo. ============================================== Vuln 1: Title: quasselcore, corruption of heap metadata caused by qdatastream leading to preauth remote code execution. Severity: high, by default the server port is publicly open and the address can be requested using the /WHOIS command of IRC protocol. Description: In Qdatastream protocol each object are prepended with 4 bytes for the object size, this can be used to trigger allocation errors. Source: void DataStreamPeer::processMessage(const QByteArray &msg), datastreampeer.cpp line 62 CWE: A heap corruption of type CWE-120 exists in quassel version 0.12.4 in the quasselcore that allows an attacker to remote code execution. Patch: https://quassel-irc.org/pub/misc/0001-Implement-custo m-deserializer-to-add-our-own-sanity-.patch Screen POC: https://i.imgur.com/JJ4QcNq.png Credit: @chaign_c Information: This vulnerability is not specific to qdatastream. ============================================== Vuln 2: Title: quasselcore DDOS Severity: low, impact only a quasselcore not configured. Description: A login attempt causes a NULL pointer dereference because when the database is not initialized. Source: void CoreAuthHandler::handle(const Login &msg), coreauthhandler.cpp line 235 CWE: A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4 in the quasselcore that allows an attacker to denial of service. Patch: https://quassel-irc.org/pub/misc/0002-Reject-clients- that-attempt-to-login-before-the-core.patch Credit: @chaign_c ============================================== With lead dev agreement, POC will be released here https://github.com/ nongiach/CVE/ in one month from now. A big thx to quassel team for their quick responses and reaction. CVE number assignation is ongoing. Thx.
Current thread:
- CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Null Pointer DDOS nongiach nongiach (Apr 27)
- Re: CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Null Pointer DDOS nongiach nongiach (May 01)