lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 1 Jan 2013 02:02:21 +0400
From: Mustapha Rabiu <muztapha@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Charybdis: Improper assumptions in the server
 handshake code may lead to a remote crash. (CAPAB module)

>
>
>
> Access vector: network
> Access complexity: low
> Authentication requirement: none
>
> Confidentiality impact: none
> Integrity impact: none
> Availability impact: complete
>
> CVSSv2 temporal score: 6.4
>
> Exploitability: functional exploit exists
> Remediation level: official fix
> Report confidence: confirmed
>
> Summary:
>
> All versions of Charybdis are vulnerable to a remotely-triggered crash bug
> caused by code originating from ircd-ratbox 2.0.  (Incidentally, this means all
> versions since ircd-ratbox 2.0 are also vulnerable.)
>
> The bug has to do with server capability negotiation.  A malformed request will
> trigger a crash due to invalid assumptions.
>
> Mitigation:
>
> A patch for all affected versions of ircd-ratbox and charybdis is available from
> the charybdis GIT repository:
>   https://github.com/atheme/charybdis/commit/ac0707aa61d9c20e9b09062294701567c9f41595.patch
>
> To apply the patch, go to your IRCd source tree and run the following commands:
>   $ patch -p1 < /path/to/downloaded/patchfile.patch
>   $ make
>   $ make install
>
> Then you may hotfix the IRCd by running /MODRESTART as a server admin.
>
> Details:
>
> In ratbox-2, the following code was added to m_capab.c:
>   char *t = LOCAL_COPY(parv[i]);
>
> The other logic was then modified to make use of that stack-allocated buffer rather
> than the original.  LOCAL_COPY() is a macro which expands to alloca() and strlcpy(),
> and the bug effectively is caused by this expansion calling strlen(NULL).
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ