Portcullis Security Advisory 06-063

 
Vulnerable System: 

centericq

 
Vulnerability Title:

Centericq is vulnerable to multiple buffer overflows.


Vulnerability Discovery And Development: 

Portcullis Security Testing Services discovered this vulnerability. 
Further research was then carried out..


Credit for Discovery:

Nico Leidecker - Portcullis Computer Security Ltd. 


Affected systems: 

Version 4.21 on FreeBSD and the official sources were tested as vulnerable.
Previous versions and those versions running on various Linux distributions may be
affected.

Details:

Centericq provides modules to several messaging and chat protocols.  The 
modules for Yahoo, LiveJournal, Jabber and IRC are vulnerable to multiple 
buffer overflows mainly, when the user receives a notification message for 
certain events.  The following list identifies the events which have to be 
undertaken in order to result in a possible buffer overflow.

IRC Hook
    - a user in the victims contact list changes his nickname. The sum of the 
      length of his old and his new nickname has to be greater than 100.
    - a user joins or leaves a channel and the length of nickname and real 
      name are greater than 512.
    - the victim obtains the IRC client information from another user. The 
      information length must be greater than 512 bytes.
    - in the event message, when a user gets kicked from a channel and the 
      length of his username and the name of the op user are greater than 512.
    - a third user or the victim gets opped or deopped by an op whereas length 
      of username and op name are greater than 512.

Untested buffer overflows in the following modules:

Jabber Hook

    - the victim obtains the Jabber client information from another user. The 
      information length must be greater than 512 bytes.

LiveJournal Hook

    - in the notification message, when the attacker adds or removes the victim 
      to or from his friend list.

Yahoo Hook

    - in the notification message, when a user invites the victim to a 
      conference. 
    - if the attacker declines a conference invitation
    - a user joins or leaves a conference
    - a user gets informed, when he received a new email.
      when the total length of sender and subject are greater than 1024 a 
      buffer overflow follows.

As an example:
One of the modules is an Internet Relay Chat (IRC) module. The centericq user 
is notified for every change of nickname for any user in his contact list and
logs it to a file. However, only 100 bytes are allocated for the log message 
which includes both the old and new username. Furthermore, centericq fails to
check the sizes of the usernames and therefore suffers from a buffer overflow
if the sum of the length of old and new username is greater than 40 (format 
string covers the remaining 60 bytes).  In order to get into the victims contact
list, the attacker simply sends a message to the user. He has not joined any
channel by doing that. In the next step, the attacker changes his nickname to
another name that may include arbitrary code to execute within the context of
the running of centericq.  Official IRC Servers may not support usernames that
are 20 bytes or longer. Although, the attacker could lead the victim to a server
controlled by him to exploit these vulnerabilities.


Impact:

The attacker could cause a Denial of Service or execute arbitrary code with 
the users privileges.


Exploit:

The proof of concept exploit code is available.


Vendor Status:

Contacted k@thekonst.net

e-mailed - 16th January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved 
worldwide.

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.