[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] PTnet IRCD heap exhaustion and integer overflow
From: yeah right <ficheironegro () gmail ! com>
Date: 2005-12-30 14:46:14
Message-ID: 9870a8150512300646u3b90e5b0m () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Synopsis : Potential heap exhaustion and an integer overflow
Product : PTnet IRCD
Version : 1.6, 1.5 (partially)
Date : February, 3rd 2005
Author : blackfile
o introduction --
The PTnet IRCD is a DALnet dreamforge fork. This IRCD has been hardly
modified to fit the network user's needs. Since version 1.5 only some
channels
were locked due to security measures. But from version 1.6 onwards this
problem
seem to be somewhat problematic. Some channels like #PTnet, #PTnoticias an=
d
all
#*.log channels were locked.
Note: One should keep in mind that you need special privileges to join
these channels.
o details --
Since PTnet has a closed source philosophy and I don't have access to
neither the IRCD's binary nor the sources, I had to make some hard guesses
and
some reverse engineering. So it will seem normal if some of my guesses
and/or
ideas about this problem could be wrong. When one attempts to join one of
these
charmed channels and if not properly identified as an IRCOP a warning is
displayed
(Permission denied- You do not have the proper IRC operator privileges).
Although,
the channel is opened with no one inside, so a few Kilobytes of memory are
allocated
and right after this an integer that says how many channels have been
opened is
incremented by one. You can confirm if the channel is opened by typing
(/quote MODE #channel).
Technical overview:
See channel.c/m_join() :
At the beginning of the for() loop statement there are a few conditions
that
check the channel's length and other misc operations. Just after those
tests another
is made to check if the channel we are joining is a charmed channel or
not. But,
instead of returing in case of an error, the loop is broken and the rest o=
f
the
code is executed and the channel is successfully opened with no one inside
of it.
o exploitation --
Just create a bunch of bots and start opening random #*.log channels.
o proof-of-concept --
Soon.
o impact --
If properly exploited, the process runs out of heap space and therefore
making the IRCD call the outofmemory() function... which will lead to a
hell-freezing
restart.
o disclaimer --
This document may not be (re)distributed. This file is released "AS IS"
without
any kind of warranties. The author may not be held responsable by one's
misusage of this information and/or program(s).
This information and/or source code is provided for
educational purposes only.
o vendor notification --
None, due to their negligence towards the users, none will be made.
o final notes --
Open your radio. There are moths everywhere, I'm sure of it.
[Attachment #5 (text/html)]
<p>Synopsis : Potential heap exhaustion and an integer overflow<br>Pro=
duct : PTnet IRCD<br>Version : 1.6, 1.5 (partially)<b=
r>Date : February, 3rd 2005<br>Author : blackfile</p>
<p> o introduction --</p>
<p> The PTnet IRCD is a DALnet dreamforge fork. This IRCD has be=
en hardly<br> modified to fit the network user's needs. Since version =
1.5 only some channels<br> were locked due to security measures. But f=
rom version 1.6
onwards this problem<br> seem to be somewhat problematic. Some channe=
ls like #PTnet, #PTnoticias and all<br> #*.log channels were locked.<b=
r> Note: One should keep in mind that you need special privileges to j=
oin these channels.
</p>
<p><br> o details --</p>
<p> Since PTnet has a closed source philosophy and I don't have =
access to<br> neither the IRCD's binary nor the sources, I had to make=
some hard guesses and<br> some reverse engineering. So it will =
seem normal if some of my guesses and/or
<br> ideas about this problem could be wrong. When one attempts to joi=
n one of these<br> charmed channels and if not properly identified as =
an IRCOP a warning is displayed<br> (Permission denied- You do not hav=
e the proper IRC operator privileges). Although,
<br> the channel is opened with no one inside, so a few Kilobytes of m=
emory are allocated<br> and right after this an integer that says how =
many channels have been opened is<br> incremented by one. You ca=
n confirm if the channel is opened by typing
<br> (/quote MODE #channel).</p>
<p> Technical overview:</p>
<p> See channel.c/m_join() :</p>
<p> At the beginning of the for() loop statement there are a few=
conditions that<br> check the channel's length and other misc operati=
ons. Just after those tests another<br> is made to check if the =
channel we are joining is a charmed channel or not. But,
<br> instead of returing in case of an error, the loop is broken and t=
he rest of the<br> code is executed and the channel is successfully op=
ened with no one inside of it.</p>
<p> o exploitation --</p>
<p> Just create a bunch of bots and start opening random #*.log =
channels.</p>
<p> o proof-of-concept --</p>
<p> Soon.</p>
<p> o impact --</p>
<p> If properly exploited, the process runs out of heap space an=
d therefore<br> making the IRCD call the outofmemory() function... whi=
ch will lead to a hell-freezing<br> restart.</p>
<p> o disclaimer --</p>
<p> This document may not be (re)distributed. This file is=
released "AS IS" without<br> any kind of warranties. =
The author may not be held responsable by one's misusage of this info=
rmation and/or program(s).
<br> This information and/or source code is provided for<br> educ=
ational purposes only.</p>
<p> o vendor notification --</p>
<p> None, due to their negligence towards the users, none will b=
e made.</p>
<p> o final notes --</p>
<p> Open your radio. There are moths everywhere, I'm sure =
of it.</p>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic