[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Charybdis: Improper assumptions in the server handshake code may lead to a remote cra
From:       Mustapha Rabiu <muztapha () gmail ! com>
Date:       2012-12-31 21:57:40
Message-ID: CACy=+Dvw4zOn1UVxbMRfS78GDp4jDmiVX918KWXqrCrzrMmsxw () mail ! gmail ! com
[Download RAW message or body]


Hi.


Can we get a CVE for the following

--

Access vector: network
Access complexity: low
Authentication requirement: none

Confidentiality impact: none
Integrity impact: none
Availability impact: complete

CVSSv2 temporal score: 6.4

Exploitability: functional exploit exists
Remediation level: official fix
Report confidence: confirmed

Summary:

All versions of Charybdis are vulnerable to a remotely-triggered crash bug
caused by code originating from ircd-ratbox 2.0.  (Incidentally, this means all
versions since ircd-ratbox 2.0 are also vulnerable.)

The bug has to do with server capability negotiation.  A malformed request will
trigger a crash due to invalid assumptions.

Mitigation:

A patch for all affected versions of ircd-ratbox and charybdis is available from
the charybdis GIT repository:
  https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch

To apply the patch, go to your IRCd source tree and run the following commands:
  $ patch -p1 < /path/to/downloaded/patchfile.patch
  $ make
  $ make install

Then you may hotfix the IRCd by running /MODRESTART as a server admin.

Details:

In ratbox-2, the following code was added to m_capab.c:
  char *t = LOCAL_COPY(parv[i]);

The other logic was then modified to make use of that stack-allocated
buffer rather
than the original.  LOCAL_COPY() is a macro which expands to alloca()
and strlcpy(),
and the bug effectively is caused by this expansion calling strlen(NULL).


--


Thanks.


Mustapha Rabiu


[prev in list] [next in list] [prev in thread] [next in thread]