Re: Unreal ircd Format String Vuln

[Syzop <syz () dds nl>]

Hi,

"Gabriel A. Maggiotti" wrote:

> Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
> This function is in /src/cio_main.c file
>
> Piece of code:
>
>         va_start(argptr, InBuf);
>         Len = vsprintf(Buffer, InBuf, argptr);
>         va_end(argptr);
>
> The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
> is produced, the program crashes when it tries to copy the value of eax
> to the address of edx.

Are you talking about:
BOOL Cio_PrintF(HWND hWnd, char *InBuf, ...)
{
[..]
        va_start(argptr, InBuf);
        Len = vsprintf(Buffer, InBuf, argptr);
        va_end(argptr);

??
Then I think you are wrong because it's the purpose of that function (see
glibc documentation for example for va_* stuff).
Ofcourse if the function Cio_PrintF is called with user input in InBuf we have a problem.
BTW I've never seen that function before and I don't see it used anywere but I might be
wrong (I never look at the windows part of the UnrealIrcd source).

Please use Unreal3.2 (beta6 currently) instead, Unreal3.1.2 has some serious bugs.

    Bram Matthys (1% UnrealIrcd coder)

PS: Please report bugs to coders () lists unrealircd org