Vulnerability Development mailing list archives

Unreal ircd Format String Vuln

From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
Date: Mon, 25 Feb 2002 13:30:26 -0300

---------------------------------------------------------------------------
Web:  http://qb0x.net                   Author: Gabriel A. Maggiotti
Date: Febrary 25, 2002                  E-mail: gmaggiot () ciudad com ar
---------------------------------------------------------------------------


General Info
------------
Problem Type    :  Format String Vulnerability
Product         :  Unreal irc server
Version         :  tested in 3.1.1
Vendor          :  www.unrealircd.org


Summary
-------
A security vulnerability has been found in the popular Unreal irc server.
Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
This function is in /src/cio_main.c file

Piece of code:

        va_start(argptr, InBuf);
        Len = vsprintf(Buffer, InBuf, argptr);
        va_end(argptr);

The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
is produced, the program crashes when it tries to copy the value of eax 
to the address of edx.


SOLUTION:
Don't forget to use the proper format of svprintf:

        int vprintf(const char *format, va_list ap);


---------------------------------------------------------------------------
research-list () qb0x net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To  subscribe to   research-list () qb0x ne t send a blank  email  to 
research-list-subscribe () qb0x net. More help  available  sending an email
to research-list-help () qb0x net.
Note: the list doesn't allow html, it will be stripped from messages. 
---------------------------------------------------------------------------

Current thread:

Unreal ircd Format String Vuln Gabriel A. Maggiotti (Feb 25)
- Re: Unreal ircd Format String Vuln Syzop (Feb 26)