lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200307082231.45576.rob@anope.org>
Date: Tue, 8 Jul 2003 22:31:39 +0100
From: Rob <rob@...pe.org>
To: bugtraq@...urityfocus.com
Subject: Re: Unrealircd & Anope services - join segmentation fault in operserv.c


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 08 July 2003 8:14 am, Lethalman wrote:
> If an admin say this command: '/msg operserv raw
>
> :nickserv join #chan' NickServ join in that chan, ok.
>
> If the command was: '/msg operserv raw : join #chan'
> ircd go to SEGFAULT. Why?
*snip*

Anope's FAQ file (included with all .tar.gz's and on the CVS server) clearly 
stats:

30. When I used the OperServ RAW command, Anope and/or my network
    crashed, or did weird things! Please fix this bug!

        "That's not a bug, it's a feature."

        Have you ever typed /msg OperServ HELP RAW? It's clearly stated
        there that this command is dangerous and that its use may result
        in very bad things.

        And that's why this command has been disabled by default. If you
        enabled and used it, YOU'RE ON YOUR OWN. All help requests will
        be ignored, even if the problem happens not immediately.


And the example.conf file in both Anope 1.4.x and 1.5.x series have the 
following directive included by default:

# DisableRaw [RECOMMENDED]
#
# Disables the highly destructive OperServ RAW command.

DisableRaw


Even with this command enabled, its use is limited to services admins, who 
need to be both /oper'ed with the ircd, and identified to services before 
they can issue a command.  On a side note, there is also a config option to 
wallop the use of RAW to all other opers on the network, and its use is 
always logged in the log files.  

This "issue" can only be issued after a server has successfully connected to a 
network - passing all the authentication checks in the ircd - in this case 
Unreal - as such, it is not completely unreasonable for the ircd to assume it 
can "trust" the format of the messages, as user input is identified in the 
messages, as laid out in the RFC.  

I don't really see a big problem in ircd's saving some processing power by 
trusting messages from already authenticated server.

As for the solutions offered, its highly unlikely Anope will be filtering RAW 
commands, the whole point of them is to send a raw un-filtered message 
directly to the ircd.  We already make it close to impossible for someone to 
have RAW enabled and not know it could be destructive... 

p.s. - if you had contacted Anope at all before posting this, we could have 
told you this, and saved you the trouble of posting at all..... still 
notifying developers, at all, before a public announcement must be out of 
fashion this season or something  ;-)

- -- 
Rob - Anope developer 
irc.anope.org #anope

GnuPG key: 1024D/309586CA
Fingerprint: 952A 4EB9 CC81 F30A 35CF  D473 BF12 FD80 3095 86CA
Key available at http://pgp.mit.edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD4DBQE/CzhAvxL9gDCVhsoRAjTUAJiGsDaHekSfQsj8UQoCj5RhHS3uAKDNRyq8
v1AEzuGCYNO8AnGjB+Xz+g==
=XACj
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ