'[VulnWatch] PTnet IRCD heap exhaustion and integer overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vulnwatch
Subject:    [VulnWatch] PTnet IRCD heap exhaustion and integer overflow
From:       yeah right <ficheironegro () gmail ! com>
Date:       2005-12-30 14:25:30
Message-ID: 9870a8150512300625j50f4a40dg () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]



[Attachment #5 (text/html)]


["SA-0001.txt" (text/plain)]

Synopsis	: Potential heap exhaustion and an integer overflow
Product		: PTnet IRCD
Version		: 1.6, 1.5 (partially)
Date		: February, 3rd 2005
Author		: blackfile

 o introduction --

	The PTnet IRCD is a DALnet dreamforge fork. This IRCD has been hardly
   modified to fit the network user's needs.
	Since version 1.5 only some channels were locked due to security
   measures. But from version 1.6 onwards this problem seem to be somewhat
   problematic. Some channels like #PTnet, #PTnoticias and all #*.log
   channels were locked.
	Note: One should keep in mind that you need special privileges to
   join these channels.

 o details --

	Since PTnet has a closed source philosophy and I don't have access
   to neither the IRCD's binary nor the sources, I had to make some
   hard guesses and some reverse engineering.  So it will seem normal
   if some of my guesses and/or ideas about this problem could be wrong.
	When one attempts to join one of these charmed channels and if
   not properly identified as an IRCOP a warning is displayed
   (Permission denied- You do not have the proper IRC operator privileges).
   Although, the channel is opened with no one inside, so a few Kilobytes of 
   memory are allocated and right after this an integer that says how many
   channels have been opened is incremented by one.  You can confirm if the
   channel is opened by typing (/quote MODE #channel).
   
   Technical overview:

	See channel.c/m_join() :

	At the beginning of the for() loop statement there are a few
   conditions that check the channel's length and other misc operations.  Just
   after those tests another is made to check if the channel we are joining
   is a charmed channel or not.  But, instead of returing in case of an
   error, the loop is broken and the rest of the code is executed and
   the channel is successfully opened with no one inside of it.

 o exploitation --

	Just create a bunch of bots and start opening random #*.log channels.

 o proof-of-concept --

	Soon.

 o impact --

	If properly exploited, the process runs out of heap space and
   therefore making the IRCD call the outofmemory() function... which
   will lead to a hell-freezing restart.

 o disclaimer --

	This document may not be (re)distributed.  This file is released 
    "AS IS" without any kind of warranties.  The author may not be held
    responsable by one's misusage of this information and/or program(s).
	This information and/or source code is provided for educational
    purposes only.

 o vendor notification --

   None, due to their negligence towards the users, none will be made.

 o final notes --

	 Open your radio.  There are moths everywhere, I'm sure of it.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic