lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041110131046.GA21604@cecilija.zesoi.fer.hr>
Date: Wed, 10 Nov 2004 14:10:46 +0100
From: LSS Security <exposed@....hr>
To: bugtraq@...urityfocus.com
Subject: BNC 2.8.9 remote buffer overflow




			LSS Security Advisory #LSS-2004-11-3
			       http://security.lss.hr


---

Title		   :  BNC 2.8.9 remote buffer overflow
Advisory ID	   :  LSS-2004-11-3
Date		   :  November 10th, 2004 
Advisory URL:	   :  http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03 
Impact		   :  Remote code execution or DoS attack
Risk level	   :  High 
Vulnerability type :  Remote
Vendors contacted  :  www.gotbnc.com, November 7th, 2004 

---




===[ Overview 

BNC is an IRC (Internet Relay Chat) proxying server under the GPL. It 
allows users to connect to chat servers by bouncing off the computer which
is running BNC. Basically, it forwards the information from the user to the
server and vise versa. 



===[ Vulnerability

There is a buffer overflow vulnerability in getnickuserhost() function that
is called when BNC is processing response from some IRC server. When BNC is
connected to some IRC server, it will send 'USER' and 'NICK' command. Server
response is at some point processed with getnickuserhost() function. 

Vulnerable code:
----------------
int getnickuserhost(char **argv,char *buf,char *fix)
{
        int p,c;
        c=0;
        argv[0]=buf;

        for(p=0;buf[p];p++)
        {
                if(buf[p] == '!')
                {
                        buf[p]='\0';
                        fix[c++]='!';
                        argv[1]=&buf[p+1];
                }
                if(buf[p] == '@')
                {
                        buf[p]='\0';
                        fix[c++]='@';
                        argv[2]=&buf[p+1];
                }       
        }               
        return c;
}               
----------------

'buf' points to 512+1 bytes static buffer (in BSS segment) that contains
server response, and 'fix' points to 3 byte stack buffer. If there is '!' 
or '@' character in server response (buf), it will be written to 'fix'. 
Number of '!' and '@' characters that can be written to 'fix' isn't
limited, so it is possible to overflow it. 
Function getnickuserhost() is called from functions srv_nick() and 
ismenuh(), and ismenuh() is called from srv_part() and process_join(), so
there are few possible exploitation paths.

srv_nick() example:
----------------
int srv_nick(struct cliententry *cptr, char *prefix, int pargc, char 
**pargv)
{
        int p,repc,c,f;
        char repv[3];
        char *nuh[3];
	...
	c=strlen(prefix);

        repc = getnickuserhost(nuh, prefix, repv);
	...
        for(p=0;p<c;p++)
        {
                if( prefix[p] == '\0' )
                {
                        if(repc > 0)
                        {
                                prefix[p]=repv[f++];
                                repc--;
                        }
                }
        }
	...
----------------

Since stack can be overflowed just with '!' and '@' characters, it isn't
easy to exploit this vulnerability. It could be exploited with off-by-one
or off-by-two frame overflow, but some partial EIP overflow could also 
prove to be useful. It is also possible to overflow 'c' counter that could
have some impact later in 'for' loop. 



===[ Affected versions

Vulnerability has been discovered and tested on latest BNC 2.8.9, but older
versions are affected too. Vulnerability can be exploited if attacker 
tricks user to connect to his fake IRC server that will exploit this
vulnerability. If the attacker has access to BNC proxy server, this 
vulnerability can be used to gain shell access on machine where BNC proxy 
server is set.



===[ Fix

Vendor has released a patched version - bnc-2.9.0.

The source of the patched version can be downloaded from: 
http://www.gotbnc.com/files/bnc2.9.0.tar.gz



===[ PoC Exploit

Proof of concept code can be downloaded from http://security.lss.hr/en/PoC/

BNC status after PoC overflow:
----------------------
[root@...top bnc2.8.9]# gdb ./bnc 11313
...
Program received signal SIGSEGV, Segmentation fault.
0x21212121 in ?? ()
...
eax            0x1	1
ecx            0x30	48
edx            0x30	48
ebx            0x21212121	555819297
esp            0xbffff790	0xbffff790
ebp            0x21212121	0x21212121
esi            0x21212121	555819297
edi            0x21212121	555819297
eip            0x21212121	0x21212121
eflags         0x210246	2163270
...
----------------------
After PoC overflow, BNC daemon dies, and all users will be disconnected,
so this vulnerability can also be used as an DoS (Denial of Service) 
attack.



===[ Credits

Credits for this vulnerability goes to Leon Juranic. 



===[ LSS Security Contact
 
 LSS Security Team, <eXposed by LSS>
 
 WWW    : http://security.lss.hr
 E-mail : security@....hr
 Tel	: +385 1 6129 775
  



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ