'[oss-security] CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Nu'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Nu
From:       nongiach nongiach <nongiach () gmail ! com>
Date:       2018-04-26 22:39:42
Message-ID: CABVn_oo4q7Re5N=n9gZ_bbM=-xbdk7MB3g2bKfRnrFf8Y3ryoA () mail ! gmail ! com
[Download RAW message or body]


 Hey,

two vulnerabilities have been fixed in quassel, an IRC connection
multiplexer,
one with a high severity and another with a low severity, they are both
publicly fixed:
- these patches apply cleanly to 0.12.4 sources
- 0.12.5 release (Tuesday 24.04) includes these patches, distros have been
notified for the embargo.

==============================================
Vuln 1:
Title: quasselcore, corruption of heap metadata caused by qdatastream
leading to preauth remote code execution.
Severity: high, by default the server port is publicly open and the address
can be requested using the /WHOIS command of IRC protocol.
Description: In Qdatastream protocol each object are prepended with 4 bytes
for the object size, this can be used to trigger allocation errors.
Source: void DataStreamPeer::processMessage(const QByteArray &msg),
datastreampeer.cpp line 62
CWE: A heap corruption of type CWE-120 exists in quassel version 0.12.4 in
the quasselcore that allows an attacker to remote code execution.
Patch: https://quassel-irc.org/pub/misc/0001-Implement-
custom-deserializer-to-add-our-own-sanity-.patch
Screen POC: https://i.imgur.com/JJ4QcNq.png
Credit: @chaign_c
Information: This vulnerability is not specific to qdatastream.

==============================================
Vuln 2:
Title: quasselcore DDOS
Severity: low, impact only a quasselcore not configured.
Description: A login attempt causes a NULL pointer dereference because when
the database is not initialized.
Source: void CoreAuthHandler::handle(const Login &msg),
coreauthhandler.cpp  line 235
CWE: A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4
in the quasselcore that allows an attacker to denial of service.
Patch: https://quassel-irc.org/pub/misc/0002-Reject-
clients-that-attempt-to-login-before-the-core.patch
Credit: @chaign_c

==============================================

With lead dev agreement, POC will be released here
https://github.com/nongiach/CVE/ in one month from now.
A big thx to quassel team for their quick responses and reaction.

CVE number assignation is ongoing.

Thx.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic