---------------------------------------------------------------------------
Web:  http://qb0x.net                   Author: Gabriel A. Maggiotti
Date: Febrary 25, 2002                  E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------


General Info
------------
Problem Type    :  Format String Vulnerability
Product         :  Unreal irc server
Version         :  tested in 3.1.1
Vendor		:  www.unrealircd.org


Summary
-------
A security vulnerability has been found in the popular Unreal irc server.
Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function.
This function is in /src/cio_main.c file

Piece of code:

        va_start(argptr, InBuf);
        Len = vsprintf(Buffer, InBuf, argptr);
        va_end(argptr);

The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault
is produced, the program crashes when it tries to copy the value of eax 
to the address of edx.


SOLUTION:
Don't forget to use the proper format of svprintf:

	int vprintf(const char *format, va_list ap);


---------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To  subscribe to   research-list@qb0x.ne t send a blank  email  to 
research-list-subscribe@qb0x.net. More help  available  sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages. 
---------------------------------------------------------------------------