[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Charybdis: Improper assumptions in the server handshake code may lead to a remote
From: Mustapha Rabiu <muztapha () gmail ! com>
Date: 2012-12-31 22:02:21
Message-ID: CACy=+DuLnkuq8LVi3dS9_0h5pvk=O2dpUtPM_eUJEOU1U3s=xQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
>
>
>
> Access vector: network
> Access complexity: low
> Authentication requirement: none
>
> Confidentiality impact: none
> Integrity impact: none
> Availability impact: complete
>
> CVSSv2 temporal score: 6.4
>
> Exploitability: functional exploit exists
> Remediation level: official fix
> Report confidence: confirmed
>
> Summary:
>
> All versions of Charybdis are vulnerable to a remotely-triggered crash bug
> caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all
> versions since ircd-ratbox 2.0 are also vulnerable.)
>
> The bug has to do with server capability negotiation. A malformed request will
> trigger a crash due to invalid assumptions.
>
> Mitigation:
>
> A patch for all affected versions of ircd-ratbox and charybdis is available from
> the charybdis GIT repository:
> https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
>
> To apply the patch, go to your IRCd source tree and run the following commands:
> $ patch -p1 < /path/to/downloaded/patchfile.patch
> $ make
> $ make install
>
> Then you may hotfix the IRCd by running /MODRESTART as a server admin.
>
> Details:
>
> In ratbox-2, the following code was added to m_capab.c:
> char *t = LOCAL_COPY(parv[i]);
>
> The other logic was then modified to make use of that stack-allocated buffer rather
> than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(),
> and the bug effectively is caused by this expansion calling strlen(NULL).
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px \
0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div \
dir="ltr"> <div><pre style="word-wrap:break-word;white-space:pre-wrap"><br \
class="Apple-interchange-newline"> Access vector: network
Access complexity: low
Authentication requirement: none
Confidentiality impact: none
Integrity impact: none
Availability impact: complete
CVSSv2 temporal score: 6.4
Exploitability: functional exploit exists
Remediation level: official fix
Report confidence: confirmed
Summary:
All versions of Charybdis are vulnerable to a remotely-triggered crash bug
caused by code originating from ircd-ratbox 2.0. (Incidentally, this means all
versions since ircd-ratbox 2.0 are also vulnerable.)
The bug has to do with server capability negotiation. A malformed request will
trigger a crash due to invalid assumptions.
Mitigation:
A patch for all affected versions of ircd-ratbox and charybdis is available from
the charybdis GIT repository:
<a href="https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.p \
atch">https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch</a>
To apply the patch, go to your IRCd source tree and run the following commands:
$ patch -p1 < /path/to/downloaded/patchfile.patch
$ make
$ make install
Then you may hotfix the IRCd by running /MODRESTART as a server admin.
Details:
In ratbox-2, the following code was added to m_capab.c:
char *t = LOCAL_COPY(parv[i]);
The other logic was then modified to make use of that stack-allocated buffer rather
than the original. LOCAL_COPY() is a macro which expands to alloca() and strlcpy(),
and the bug effectively is caused by this expansion calling \
strlen(NULL).</pre></div></div></blockquote></div></div></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic