LSS Security Advisory #LSS-2004-11-3 http://security.lss.hr --- Title : BNC 2.8.9 remote buffer overflow Advisory ID : LSS-2004-11-3 Date : November 10th, 2004 Advisory URL: : http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03 Impact : Remote code execution or DoS attack Risk level : High Vulnerability type : Remote Vendors contacted : www.gotbnc.com, November 7th, 2004 --- ===[ Overview BNC is an IRC (Internet Relay Chat) proxying server under the GPL. It allows users to connect to chat servers by bouncing off the computer which is running BNC. Basically, it forwards the information from the user to the server and vise versa. ===[ Vulnerability There is a buffer overflow vulnerability in getnickuserhost() function that is called when BNC is processing response from some IRC server. When BNC is connected to some IRC server, it will send 'USER' and 'NICK' command. Server response is at some point processed with getnickuserhost() function. Vulnerable code: ---------------- int getnickuserhost(char **argv,char *buf,char *fix) { int p,c; c=0; argv[0]=buf; for(p=0;buf[p];p++) { if(buf[p] == '!') { buf[p]='\0'; fix[c++]='!'; argv[1]=&buf[p+1]; } if(buf[p] == '@') { buf[p]='\0'; fix[c++]='@'; argv[2]=&buf[p+1]; } } return c; } ---------------- 'buf' points to 512+1 bytes static buffer (in BSS segment) that contains server response, and 'fix' points to 3 byte stack buffer. If there is '!' or '@' character in server response (buf), it will be written to 'fix'. Number of '!' and '@' characters that can be written to 'fix' isn't limited, so it is possible to overflow it. Function getnickuserhost() is called from functions srv_nick() and ismenuh(), and ismenuh() is called from srv_part() and process_join(), so there are few possible exploitation paths. srv_nick() example: ---------------- int srv_nick(struct cliententry *cptr, char *prefix, int pargc, char **pargv) { int p,repc,c,f; char repv[3]; char *nuh[3]; ... c=strlen(prefix); repc = getnickuserhost(nuh, prefix, repv); ... for(p=0;p 0) { prefix[p]=repv[f++]; repc--; } } } ... ---------------- Since stack can be overflowed just with '!' and '@' characters, it isn't easy to exploit this vulnerability. It could be exploited with off-by-one or off-by-two frame overflow, but some partial EIP overflow could also prove to be useful. It is also possible to overflow 'c' counter that could have some impact later in 'for' loop. ===[ Affected versions Vulnerability has been discovered and tested on latest BNC 2.8.9, but older versions are affected too. Vulnerability can be exploited if attacker tricks user to connect to his fake IRC server that will exploit this vulnerability. If the attacker has access to BNC proxy server, this vulnerability can be used to gain shell access on machine where BNC proxy server is set. ===[ Fix Vendor has released a patched version - bnc-2.9.0. The source of the patched version can be downloaded from: http://www.gotbnc.com/files/bnc2.9.0.tar.gz ===[ PoC Exploit Proof of concept code can be downloaded from http://security.lss.hr/en/PoC/ BNC status after PoC overflow: ---------------------- [root@laptop bnc2.8.9]# gdb ./bnc 11313 ... Program received signal SIGSEGV, Segmentation fault. 0x21212121 in ?? () ... eax 0x1 1 ecx 0x30 48 edx 0x30 48 ebx 0x21212121 555819297 esp 0xbffff790 0xbffff790 ebp 0x21212121 0x21212121 esi 0x21212121 555819297 edi 0x21212121 555819297 eip 0x21212121 0x21212121 eflags 0x210246 2163270 ... ---------------------- After PoC overflow, BNC daemon dies, and all users will be disconnected, so this vulnerability can also be used as an DoS (Denial of Service) attack. ===[ Credits Credits for this vulnerability goes to Leon Juranic. ===[ LSS Security Contact LSS Security Team, WWW : http://security.lss.hr E-mail : security@LSS.hr Tel : +385 1 6129 775